Beruflich Dokumente
Kultur Dokumente
com/documentation
Installation Guide
eDirectory 8.8 SP7
TM
Legal Notices
Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc., reservestherighttorevisethispublicationandtomakechangestoitscontent,atanytime,withoutobligationtonotifyany personorentityofsuchrevisionsorchanges. Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright tomakechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof suchchanges. AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade lawsofothercountries.Youagreetocomplywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor classificationtoexport,reexportorimportdeliverables.YouagreenottoexportorreexporttoentitiesonthecurrentU.S. exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.exportlaws.Youagreetonotuse deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals. Copyright20092012Novell,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedon aretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher. Novell, Inc. 1800 South Novell Place Provo, UT 84606 U.S.A. www.novell.com OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell DocumentationWebpage(http://www.novell.com/documentation).
Novell Trademarks
ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/ tmlist.html).
Third-Party Materials
Allthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Contents
About This Book 1 Installing or Upgrading Novell eDirectory on Linux
1.1 1.2 1.3 1.4 1.5
7 9
1.6
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.2 Upgrading on Linux Servers Other Than OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.3 Unattended Upgrade of eDirectory on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.5.4 Upgrading eDirectory on Existing OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.5 Upgrading eDirectory During OES 1.0 to OES 2.0 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.6 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.5.7 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.5.8 Disk Space Check on Upgrading to eDirectory 8.8 SP7 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.6.1 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.6.2 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 20 1.6.3 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.6.4 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 26 1.6.5 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 31 1.6.6 Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers. . . . . . 36 1.6.7 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 1.6.8 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
39
2.6
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.5.1 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.5.2 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.6.3 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 45 2.6.4 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.6.5 Installing eDirectory 8.8 on Solaris 10 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.6.6 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 51 2.6.7 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 53 2.6.8 Using ndsconfig to Install a Solaris Server into a Tree with Dotted Name Containers . . . . 53 2.6.9 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 2.6.10 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
57
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Contents
3.6
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.1 Upgrading Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5.2 Upgrading the Tarball Deployment of eDirectory 8.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Installing eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.6.1 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6.2 Using SLP with eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6.3 Using the nds-install Utility to Install eDirectory Components . . . . . . . . . . . . . . . . . . . . . . . 62 3.6.4 Nonroot User Installing eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6.5 Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server . . . . . . . . . . . 67 3.6.6 Using ndsconfig to Configure Multiple Instances of eDirectory 8.8 . . . . . . . . . . . . . . . . . . . 69 3.6.7 Using ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers . . . . . . 69 3.6.8 Using the nmasinst Utility to Configure NMAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.6.9 Nonroot user SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
71
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Forcing the Backlink Process to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Disk Space Check on Upgrading to eDirectory SP7 or later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Installing Novell eDirectory on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.6.1 Installing or Updating Novell eDirectory 8.8 on a Windows Server . . . . . . . . . . . . . . . . . . . 75 4.6.2 Server Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6.3 Communicating with eDirectory through LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6.4 Installing NMAS Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.5 Installing NMAS Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.6 Installing into a Tree with Dotted Name Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.6.7 Unattended Install and Configure to eDirectory 8.8 SP7 on Windows . . . . . . . . . . . . . . . . 82
93
95
Reference Changes in 8.8 SP1 or later versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Upgrade Process in 8.8 SP7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Performing a Dry Run before Upgrading eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 6.3.1 Common Problems Encountered during the Upgrade Process . . . . . . . . . . . . . . . . . . . . . . 98
101
7.2 7.3
Configuration Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.1.1 The ndsconfig Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 7.1.2 Using LDAP Tools to Configure the LDAP Server and LDAP Group Objects . . . . . . . . . . 102 7.1.3 Using the nmasinst Utility to Configure Novell Modular Authentication Service . . . . . . . . 102 7.1.4 Using ndsd init Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
109
Migrating to eDirectory 8.8 SP7 While Upgrading the Operating System . . . . . . . . . . . . . . . . . . . . 109 Migrating to eDirectory 8.8 SP7 Without Upgrading the Operating System. . . . . . . . . . . . . . . . . . . 110
113
Planning Your Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 9.1.3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 9.1.4 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Migration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Migration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 After the Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
117
10.2
10.3
10.4
Clustering eDirectory Services on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.2 Installing and Configuring eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 10.1.3 Configuring SNMP Server in Clustered Linux Environments. . . . . . . . . . . . . . . . . . . . . . . 120 Clustering eDirectory Services on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 10.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 10.2.2 Installing and Configuring eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 10.2.3 Configuring SNMP Server in Clustered Windows Environments. . . . . . . . . . . . . . . . . . . . 122 Troubleshooting Clustered Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 10.3.1 Repairing or Upgrading eDirectory on Clustered Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 123 10.3.2 Creating Windows Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuration Utility Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
125
Uninstalling eDirectory on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 11.1.1 Uninstalling eDirectory, ConsoleOne, and SLP DA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 11.1.2 Unattended Uninstallation of eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 11.1.3 Uninstalling NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 11.1.4 Uninstalling Microsoft Visual C++ 2005 Runtime Libraries . . . . . . . . . . . . . . . . . . . . . . . . 129 Uninstalling eDirectory on Linux, Solaris, or AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Unattended Uninstallation of eDirectory on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Caveats for Uninstalling eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
133
12.2
Auditing with Novell Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 12.1.1 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 12.1.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 12.1.3 Installing Novell Audit Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 12.1.4 Installing the Novell Audit iManager Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 12.1.5 Understanding eDirectory Event Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 12.1.6 Understanding eDirectory Event Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 12.1.7 Understanding eDirectory Auditing Event Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 12.1.8 Configuring the Novell Audit Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 12.1.9 Configuring Novell Audit for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 12.1.10 Loading the Audit Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 12.1.11 Monitoring eDirectory Events with Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 12.1.12 Uninstalling the Novell Audit Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Auditing with XDASv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Contents
A Linux, Solaris, and AIX Packages for Novell eDirectory B eDirectory Health Checks
B.1 B.2
147 151
B.3
B.4
B.5
Need for Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Performing Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 B.2.1 With the Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 B.2.2 As a Standalone Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Types of Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 B.3.1 Basic Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 B.3.2 Partitions and Replica Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Categorization of Health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.1 Normal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.2 Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 B.4.3 Critical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
157
C.3
Service Location Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 SLP Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 C.2.1 Novell Service Location Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 C.2.2 User Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 C.2.3 Service Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Audience
Theguideisintendedfornetworkadministrators.
Feedback
Wewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentation includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe onlinedocumentationandenteryourcommentsthere.
Documentation Updates
ForthemostrecentversionoftheNovelleDirectory8.8SP7InstallationGuide,seetheNovell eDirectoryonlinedocumentation(http://www.novell.com/documentation/edir88/index.html)Web site.
Additional Documentation
FordocumentationonmanagingandadministeringeDirectory,seetheNovelleDirectory8.8SP7 AdministrationGuide(http://www.novell.com/documentation/edir88/edir88/data/a2iii88.html).
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaLinuxserver: Section 1.1,SystemRequirements,onpage 9 Section 1.2,Prerequisites,onpage 11 Section 1.3,HardwareRequirements,onpage 13 Section 1.4,ForcingtheBacklinkProcesstoRun,onpage 13 Section 1.5,UpgradingeDirectory,onpage 13 Section 1.6,InstallingeDirectory,onpage 19
1.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: 32bit(x86_32) SUSELinuxEnterpriseServer(SLES)11SP1andlaterSupportPacks SLES10SP4andlaterSupportPacks NOTE:YoumightgetawarningmessagewhileinstallingeDirectory8.8SP7onSLES10 SP3.Ignorethiswarningmessage.Formoreinformation,seeTID7005524(http:// www.novell.com/support/kb/doc.php?id=7005524). RedHatEnterpriseLinux(RHEL)AP5.4andlaterSupportPacks RHEL6APanditsSupportPacks RHEL6APvirtualization Xen(onSLES10andSLES11andtheirSupportPacks) VMwareESX 64bit(x86_64) SLES11SP1andlaterSupportPacks SLES10SP4andlaterSupportPacks RHELAP5.4andlaterSupportPacks RHEL6APanditsSupportPacks RHEL6APvirtualization VMwareESX Xen(onSLES10andSLES11andtheirSupportPacks)
NOTE:eDirectory8.8SP7issupportedonSLES10XENvirtualizationservicethatrunsthe SLES10guestOS.ThefollowingupdatesareavailableattheNovellUpdateWebsite (https://update.novell.com): SUSELinuxEnterpriseServerX86_6410020061011020434 SLES10Updates ForregisteringandupdatingSUSELinuxEnterprise10,refertoRegisteringSUSELinux EnterprisewiththeNovellCustomerCenter(http://www.suse.com/products/register.html). Afterinstallingthelatestupdate,ensurethattheminimumpatchleveloftheinstalled updateis3.0.2_097630.8. TodeterminetheversionofSUSELinuxyouarerunning,seethe/etc/SuSE-releasefile. EnsurethatthelatestglibcpatchesareappliedfromRedHatErrata(http://rhn.redhat.com/errata)on RedHatsystems.Theminimumrequiredversionoftheglibclibraryisversion2.1. Fora64biteDirectoryinstallation: SLES11SP164bitandlaterSupportPacks SLES10SP464bitandlaterSupportPacks RHEL5anditsSupportPacks RHEL6anditsSupportPacks VMwareESX RHELvirtualization(5.0and6.0) XEN(onSLES10andSLES11andtheirSupportPacks) NOTE:IfyouinstalleDirectoryonaSLES11SP2serverwithinaBTRFSfilesystem,youmay experienceperformanceissueswhenperformingLDAPoperationsorusingtheNovellImport ConversionExportUtility(ICE).Forperformancereasons,itisrecommendedthatyouusetheext3 filesystemforyoureDirectoryserver. eDirectoryalsorequiresthefollowing: Aminimumof512MBRAMforeDirectory 162MBofdiskspacefortheeDirectoryserver 30MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users Ensurethatgettextisinstalled NOTE:Bydefault,gettextisnotinstalled.Ensurethatyouinstallitbeforeyourunndsinstall,or theinstallerdisplaysmessagesaboutitbeingmissing.OnSLES,gettextisavailableininstall CDs. Ensurethatthenet-snmp-32bitRPMisinstalledon64bitSLESorOESLinux.TheRPMis availableintheSLES1064bitinstallCD. IfyouuseZLMforpatchmanagement,applythehotpatchZLM6.6.2HP4beforeupgradingto eDirectory8.8SP7.OnserverssuchasVanillaSLES10orSLES10SP1,libredcarpetshouldbe upgradedtothelatestpatchlevelusingYaSTOnlineUpdate.
10
1.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif thoseproductsaresupportedoneDirectory8.8beforeupgradingyourexistingeDirectory environment.TheprerequisitesforotherNovellproductscanbefoundontheNovellDocumentation site(http://www.novell.com/documentation/).WealsorecommendyoubackupaneDirectory instancebeforeperforminganyupgradesonthatinstance.
(Conditional)NovellInternationalCryptographicInfrastructure(NICI)2.7andeDirectory8.8
supportkeysizesupto4096bits.Ifyouwanttousea4KBkeysize,everyservermustbe upgradedtoeDirectory8.8.Inaddition,everyworkstationusingthemanagementutilities,for example,iManagerandConsoleOne,musthaveNICI2.7installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 1.6.2,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 20.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 23.
ServiceLocationProtocol(SLP)installedandconfigured
WitheDirectory8.8,SLPdoesnotgetinstalledaspartoftheeDirectoryinstallation. OnlyarootusercaninstallSLP. FormoreinformationoninstallingSLP,refertoUsingSLPwitheDirectoryonpage 19.
TheLinuxhostenabledformulticastrouting
Tocheckifthehostisenabledformulticastrouting,enterthefollowingcommand:
/bin/netstat -nr
Thefollowingentryshouldbepresentintheroutingtable:
224.0.0.0 0.0.0.0
Iftheentryisnotpresent,loginasrootandenterthefollowingcommandtoenablemulticast routing:
route add -net 224.0.0.0 netmask 240.0.0.0 dev interface
Networkservertimesynchronized
UseNetworkTimeProtocols(NTP)xntpdtosynchronizetimeacrossallnetworkservers.
compat-libstdc++RPM
Ifthecompat-libstdc++RPMisnotpresentonyourhostmachine,installit.ThisRPMcontains libstdc++-libc6.1-1.so.2.
11
(Conditional)compat-libstdc++-33-3.2.3-61.i386.rpm
IfyouareinstallingeDirectoryonRHEL5.4,installcompat-libstdc++-33-3.2.361.i386.rpm.
compat
ForYaSTbasedinstallation,installthejava
libjvm.so.
1_4_2 jrepackage.Thiscontainslibjava.soand
(Conditional)Ifyouareinstallingasecondaryserver,allthereplicasinthepartitionthatyou
installtheproductonshouldbeintheOnstate.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,createacontainerandthenpartitionit.Ensurethatyouhavethefollowingrights: Supervisorrightstothispartition. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadministratorofthetreebefore addingthesecondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandaNetWareCoreProtocol
(NCP)port(thedefaultis524)inthefirewalltoallowthesecondaryserveraddition. Additionally,youcanenablethefollowingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.
Donotsettheuserdefinedportsto8008and8010whileupgradingeDirectory8.8SP2orlater
versionsto8.8SP7.Iftheportsaresetto8008or8010,ndsconfigassumesthattheserverisa preeDirectory8.8xserverandautomaticallyresetsthemto8028and8030respectively.
DuringeDirectoryupgrade,ifSecretStorehasnotalreadybeenconfiguredwiththeprevious
versions,oryoudonotwanttoconfigureSecretStore,usethe-m no_ssoptionwiththendsinstallutility.
12
1.3
Hardware Requirements
HardwarerequirementsdependonthespecificimplementationofeDirectory.Twofactorsincrease performance:morecachememoryandfasterprocessors.Forbestresults,cacheasmuchofthe DirectoryInformationBase(DIB)Setasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessorsalsoimprovesperformance.eDirectory itselfisnotprocessorintensive,butitisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforeDirectoryforLinux:
Objects 100,000 1 million 10 million Processor Pentium III 450-700 MHz (single) Pentium III 450-700 MHz (dual) Pentium III 450-700 MHz (2 to 4) Memory 384 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
1.4
1.5
Upgrading eDirectory
Section 1.5.1,ServerHealthChecks,onpage 14 Section 1.5.2,UpgradingonLinuxServersOtherThanOES,onpage 14 Section 1.5.3,UnattendedUpgradeofeDirectoryonUNIX,onpage 15 Section 1.5.4,UpgradingeDirectoryonExistingOES,onpage 16 Section 1.5.5,UpgradingeDirectoryDuringOES1.0toOES2.0Upgrade,onpage 16 Section 1.5.6,UpgradingtheTarballDeploymentofeDirectory8.8,onpage 16
13
Section 1.5.7,UpgradingMultipleInstances,onpage 18 Section 1.5.8,DiskSpaceCheckonUpgradingtoeDirectory8.8SP7,onpage 18 IMPORTANT:EnsurethatsupportedversionofSSPisinstalledoneDirectory8.7.3SPxbefore upgradingtoeDirectory8.8SP7. ForeDirectory8.7.3SP9,ensurethatSSP203isinstalled. ForeDirectory8.7.3SP10,ensurethatSSP206isinstalled. NOTE:Thendsconfig upgradecommandisusedtoupgradethenecessaryconfigurationofthe individualcomponentssuchasHTTP,LDAP,SNMP,SAS,andNovellModularAuthentication Service(NMAS).eDirectorydatabaseisupgradedtoanewformatifeDirectoryversionspriorto eDirectory8.8SP1areupgradedtoeDirectory8.8SP7.
1.5.1
1.5.2
14
1.5.3
Healthcheckofalltherootinstancesplannedforupgradeismanuallydonebyusingndscheck utility.
export LD_LIBRARY_PATH, SHLIB_PATH and LIBPATH to the <untarred location of eDirectory>/eDirectory/setup/utils 1a Runndscheckusingoneofthebelowcommands: <untarred location of eDirectory>/eDirectory/setup/utils/ndscheck -a <user name> -w passwd --config-file <nds.conf with absolute path>
Passingthepasswordthroughenvironmentvariable:<untarred location of 88SP7>/ eDirectory/setup/utils/ndscheck -a <user name> -w env:<environment variable> --config-file <nds.conf with absolute path> Passingthepasswordthroughfile:<untarred location of 88SP7>/eDirectory/ setup/utils/ndscheck -a <user name> -w file:<filename> --config-file <nds.conf with absolute path> Anyoneoftheabovecanbeusedintheautomatedscriptforthehealthcheck.Forexample:
/Builds/eDirectory/utils/ndscheck -a admin.novell -w n /Builds/eDirectory/utils/ndscheck -a admin.novell -w env:ADM_PASWD /Builds/eDirectory/utils/ndscheck -a admin.novell -w file:adm_paswd 2 UpgradetheeDirectory8.8packages: 2a Runthendsinstallscripttoupgradethepackagesasbelow: nds-install -u -i -j 3 Updatethefollowingenvironmentvariables: PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/ndsmodules:/opt/novell/lib:$LD_LIBRARY_PATH MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale 4 UpgradeeDirectorybyusingthendsconfigutilityforalltherootinstancesbyusingthe
followingcommands:
ndsconfig upgrade -a <user name> -w passwd -c --config-file <nds.conf with absolute path>
15
Passingthepasswordthroughenvironmentvariable:ndsconfig upgrade -a <user name> -w env:<environment variable> -c --config-file <nds.conf with absolute path> Passingthepasswordthroughfile:ndsconfig upgrade -a <user name> -w file:<filename with absolute/relative path> -c --config-file <nds.conf with absolute path> AnyoftheabovecanbeusedintheautomatedscriptfortheeDirectoryupgrade.Forexample:
ndsconfig upgrade -a admin.novell -w n -c -config-file /etc/opt/novell/ eDirectory/conf/nds.conf ndsconfig upgrade -a admin.novell -w env:ADM_PASWD -c --config-file /etc/opt/ novell/eDirectory/conf/nds.conf ndsconfig upgrade -a admin.novell -w file:/Builds/88SP7/adm_paswd -c --configfile /etc/opt/novell/eDirectory/conf/nds.conf
1.5.4
1.5.5
1.5.6
$NDSHOME/eDirectory/etc/opt/novell/eDirectory/conf/ndsimon.conf
16
fileforanyerrorsbeforeproceedingwiththeupgrade.
5 Stopallinstancesusingndsmanage. 6 Untarthetarballinthesamelocation($NDSHOME)whereeDirectoryisinstalled.Byuntarringthe
tarballinthesamelocation,youareoverwritingthebinariesandlibraries.
7 Upgradethefollowingpackagesifnecessary.
Platform Linux 32-bit Command Packages
Linux 64-bit
novell-NOVLsubag-8.8.61.x86_64.rpm nici64-2.7.60.01.x86_64.rpm
NOTE: For more information on installing 32 and 64-bit NICI, refer to the Installing NICI on page 23.
Solaris 32-bit
Remove the older version using the command pkgrm <pkg name>. Install new version using the command pkgadd -d <pkg name>.
Solaris 64-bit
NOVLsubagx.pkg NOVLniu64.pkg
AIX
installp -acgXd <pkg name with full path> <pkg name> all
8 Restoretheconfigurationfiles.
17
9 Runthe$NDSHOME/eDirectory/opt/novell/eDirectory/bin/ndspathforsettingall
environmentvariables.
10 Runndsconfig upgrade -jforallinstances.Whilerunningndsconfig upgradefollowthe
orderinwhichthemasterreplicaisthefirstandfollowedbyRead/Writeandothers.
1.5.7
Order of Upgrade
Whilerunningndsconfig upgrade,itisrecommendedtofollowtheorderinwhichmasterreplica comesfirstandthenRead/Writeorotherreplicas.
1.5.8
18
1.6
Installing eDirectory
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonLinux: Section 1.6.1,UsingSLPwitheDirectory,onpage 19 Section 1.6.2,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 20 Section 1.6.3,NonrootUserInstallingeDirectory8.8,onpage 23 Section 1.6.4,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 26 Section 1.6.5,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 31 Section 1.6.6,UsingndsconfigtoInstallaLinuxServerintoaTreewithDottedName Containers,onpage 36 Section 1.6.7,UsingthenmasinstUtilitytoConfigureNMAS,onpage 37 Section 1.6.8,NonrootuserSNMPconfiguration,onpage 38
1.6.1
Forexample:
19
# This is an example of a hosts.nds file: # Tree name Internet address/DNS Resolvable Name CORPORATE. myserver.mycompany.com novell.CORPORATE. 1.2.3.4:524 # Server name CORPSERVER Internet address myserver.mycompany.com
Forexample,tosearchfortheserviceswhosesvcname-wsattributematchwiththevalue SAMPLE_TREE,enterthefollowingcommand:
/usr/bin/slptool findattrs services:ndap.novell///(svcname-ws==SAMPLE_TREE)/"
Ifyouhaveaserviceregisteredwithitssvcname-wsattributeasSAMPLE_TREE,thentheoutputwill besimilartothefollowing:
service:ndap.novell:///SAMPLE_TREE
1.6.2
-h or --help -i -j
20
nds-install Parameter
Description Specifies the module name to configure. While configuring a new tree, you can configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. Specifies the option to use in an unattended install mode. For unattended install to proceed, you need to enter at least the -c option at the command line, or else the install will abort.
-m
-u
TheinstallationprograminstallsthefollowingRPMs:
eDirectory Component eDirectory Server Packages Installed Description The eDirectory replica server is installed on the specified server.
novell-NDSbase novell-NDScommon novell-NDSmasv novell-NDSserv novell-NDSimon novell-NDSrepair novell-NDSdexvnt novell-NOVLsubag novell-NOVLsnmp novell-NOVLpkit novell-NOVLpkis novell-NOVLpkia novell-NOVLembox novell-NOVLlmgnt novell-NOVLxis novell-NLDAPsdk novell-NLDAPbase novell-NOVLsas novell-NOVLntls novell-NOVLnmas novellNOVLldif2dib novell-NOVLncp
21
Packages Installed
Description The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
2 Ifyouareprompted,enterthecompletepathtothelicensefile.
For64bit
export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib64:/opt/novell/ eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Exportthepathsinthecurrentshellasfollows:
. /opt/novell/eDirectory/bin/ndspath
22
YoucanusethendsconfigutilitytoconfigureeDirectoryServerafterinstallation. NovellModularAuthenticationService(NMAS)isinstalledaspartoftheservercomponent.By default,ndsconfigconfiguresNMAS.YoucanalsousethenmasinstutilitytoconfigureNMASserver afterinstallation.ThismustbedoneafterconfiguringeDirectorywithndsconfig. Formoreinformationonthendsconfigutility,seeThendsconfigUtilityonpage 101. Formoreinformationonthenmasinstutility,seeUsingthenmasinstUtilitytoConfigureNMAS onpage 37. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
1.6.3
Prerequisites
IfyouwanttoinstalleDirectoryusingthetarballandnotthendsinstallutility,ensurethatNICI
isinstalled.ForinformationoninstallingNICI,refertoInstallingNICIonpage 23.
EnsurethatSNMPsubagentisinstalledusingthecommandrpm
subagent rpm>.
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser. WriterightstothedirectorywhereyouwanttoinstalleDirectory.
Ifyouareanonadministratoruser,ensurethatyouhavetheappropriaterightsasmentionedin theSection 1.2,Prerequisites,onpage 11section.
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages. WitheDirectory8.8SP3orlaterversions,32and64bitapplicationscancoexistinasinglesystem. Thisrequiresinstallingboththe32and64bitversionsofNICI.
23
NOTE:Thereisnospacebetweenviandsudointhecommand. Makeanentrywiththefollowinginformation:
Username hostname=(root) NOPASSWD: /bin/rpm
Forexample,toenableuserjohntorun/bin/rpmasrootonthehostnamelnx2,typethe following:
john lnx-2=(root) NOPASSWD: /bin/rpm
Anonrootuser(john,inthisexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand: sudo rpm -ivh nici_rpm_file_name_with_path
Forexample:
sudo rpm -ivh /88/Linux/Linux/setup/nici-2.7.0-5.i386.rpm 2 ToinitializeNICI,enterthefollowing: ln -sf /var/opt/novell/nici /var/novell/nici
ToensurethatNICIissettoservermode,enterthefollowing:
/var/opt/novell/nici/set_server_mode
NICIgetsinstalledintheservermode.
Installing eDirectory
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvf /tar_file_name
Theetc,opt,andvardirectoriesarecreated.
3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariablesbyenteringthefollowingcommands: For32bit
24
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ nds-modules:custom_location/eDirectory/opt/novell/lib:$LD_LIBRARY_PATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/ man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
For64bit
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib64:custom_location/eDirectory/opt/novell/eDirectory/ lib64/nds-modules:custom_location/eDirectory/opt/novell/ lib64:$LD_LIBRARY_PATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/ man:custom_location/eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
Exportthepathsinthecurrentshellasfollows:
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
YoucanconfigureeDirectoryinanyofthefollowingways: Usethendsconfigutilityasfollows:
ndsconfig new [-t <treename>] [-n <server_context>] [-a <admin_FDN>] [-w <admin password>] [-i] [-S <server_name>] [-d <path_for_dib>] [-m <module>] [e] [-L <ldap_port>] [-l <SSL_port>] [-o <http_port>] -O <https_port>] [-p <IP address:[port]>] [-c] [-b <port_to_bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]
Forexample:
25
ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/ mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/ inst1/var --config-file /home/mary/inst1/nds.conf
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andrunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 1.6.4,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 26. IMPORTANT:SecurityServicescannotbeupdatedseparatelywiththetarballinstallationof eDirectoryunlikethepackageinstalls.Fortarballinstallation,thesecurityupdatescanbeobtained onlythrougheDirectorysupportpacks. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
1.6.4
Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server
AfterinstallingeDirectory,configuretheeDirectoryreplicaserverusingthendsconfigutility.You musthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwitharguments, itvalidatesallargumentsandpromptsforthepasswordoftheuserhavingAdministratorrights.If theutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionoftheutilityandavailable options.ThisutilitycanalsobeusedtoremovetheeDirectoryReplicaServerandchangethecurrent configurationofeDirectoryServer.Formoreinformation,seeThendsconfigUtilityonpage 101.
26
ndsconfig new [-t <treename>] [-n <server context>] [-a <admin FDN>] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-p <IP address:[port]>] [-R] [-c] [-w <admin password>] [-b <port to bind>] [-B <interface1@port1>, <interface2@port2>,..] [-D <custom_location>] [--config-file <configuration_file>]
Anewtreeisinstalledwiththespecifiedtreenameandcontext. Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def [-t <treename>] [-n <server context>] [-a <admin FDN>] [-w <admin password>] [-c] [-i] [-S <server name>] [-d <path for dib>] [-m <module>] [-e] [-L <ldap port>] [-l <SSL port>] [-o <http port>] [-O <https port>] [-D <custom_location>] [--config-file <configuration_file>]
27
Upgrades eDirectory to a later version. While configuring a new tree, ignores checking whether a tree of the same name exists. Multiple trees of the same name can exist. Specifies the server name. The server name can also contain dots (for example, novell.com). Because ndsconfig is a command line utility, using containers with dotted names requires that those dots be escaped out, and the parameters containing these contexts must be enclosed in double quotes. For example, to install a new eDirectory tree on a UNIX server using novell.com as the name of the O, use the following command:
-t treename
The tree name to which the server has to be added. It can have a maximum of 32 characters. If not specified, ndsconfig takes the tree name from the n4u.nds.treename parameter that is specified in the /etc/opt/novell/eDirectory/conf/ nds.conf file. The default treename is $LOGNAME-$HOSTNAME-NDStree.
28
ndsconfig Parameter
Description Specifies the context of the server in which the server object is added. It can have a maximum of 64 characters. If the context is not specified, ndsconfig takes the context from the configuration parameter n4u.nds.server-context specified in the /etc/ opt/novell/eDirectory/conf/nds.conf file. The server context should be specified in the typed form. The default context is org. The directory path where the database files will be stored.
-n server context
This option forcefully adds the replica of the server regardless of the number of servers already added to the server. Specifies the TCP port number on the LDAP server. If the default port 389 is already in use, it prompts for a new port. Specifies the SSL port number on the LDAP server. If the default port 636 is already in use, it prompts for a new port. Specifies the fully distinguished name of the User object with Supervisor rights to the context in which the server object and Directory services are to be created. The admin name should be specified in the typed form. It can have a maximum of 64 characters. The default admin name is admin.org. Enables clear text passwords for LDAP objects.
-e
Specifies the module name to configure. While configuring a new tree, you can -m modulename configure only the ds module. After configuring the ds module, you can add the NMAS, LDAP, SAS, SNMP, HTTP services, and Novell SecretStore (ss) using the add command. If the module name is not specified, all the modules are installed. NOTE: If you do not want to configure Novell SecretStore during eDirectory upgrade through nds-install, pass the no_ss value to this option. For example, ndsinstall '-m no_ss'.
-o -O
Specifies the HTTP clear port number. Specifies the HTTP secure port number.
-p <IP This option is used for secondary server addition (add command) to a tree. It specifies address:[p the IP address of the remote host that holds a replica of the partition to which this server is being added. The default port number is 524. This helps in faster lookup of ort]>
the tree since it avoids SLP lookup.
-R -c
By default a replica of the partition to which the server is added would be replicated to the local server. This option disallows adding replicas to the local server. This option avoids prompts during ndsconfig operation, such as yes/no to continue the operation, or prompt to re-enter port numbers when there is a conflict, etc. The user receives prompts only for entering mandatory parameters if they are not passed on command line. This option allows passing the admin user password in clear text. NOTE: Since password is passed in clear text, this is not recommended as a safe option owing to password insecurity. Enables encrypted replication for the server you are trying to add. Jumps or overrides the health check option before installing eDirectory.
-w <admin password>
-E -j
29
ndsconfig Parameter
Description Sets the default port number on which a particular instance should listen on. This sets the default port number on n4u.server.tcp-port and n4u.server.udp-port. If an NCP port is passed using the -b option, then it is assumed to be the default port and the TCP and UDP parameters are updated accordingly. NOTE: -b and -B are exclusively used.
-b port to bind
Specifies the port number along with the IP address or interface. For example: -B interface1 -B eth0@524 @port1, interface2 or @port2,... -B 100.1.1.2@524 NOTE: -b and -B are mutually exclusive.
Specify the absolute path and file name to store the nds.conf configuration file. For example, to store the configuration file in the /etc/opt/novell/eDirectory/ directory, enter --config-file /etc/opt/novell/eDirectory/ nds.conf. Allows the LDAP URLs to configure the LDAP interface on the LDAP Server object. For example: -P ldap://1.2.3.4:1389,ldaps://1.2.3.4:1636
Creates the data, dib, and log directories in the path mentioned. -D path_for_d ata
set valuelist
Sets the value for the specified eDirectory configurable parameters. It is used to set the bootstrapping parameters before configuring a tree. When configuration parameters are changed, ndsd needs to be restarted for the new value to take effect. However, for some configuration parameters, ndsd need not be restarted. These parameters are listed below:
30
ndsconfig Parameter
Description Use to view the current value of the specified eDirectory configurable parameters. If the parameter list is not specified, ndsconfig lists all the eDirectory configurable parameters.
get paramlist
1.6.5
31
Syntax
Description Lists all the instances configured by you. List instances of all the users who are using a particular installation of eDirectory. List the instances configured by a specific user
Ifyouhavetwoinstancesconfigured,thefollowingscreenisdisplayed:
32
2 Enterctocreateanewinstance.
Youcaneithercreateanewtreeoraddaservertoanexistingtree.Followtheinstructionsonthe screentocreateanewinstance.
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.
33
3 Enterstostarttheinstance.
Alternatively,youcanalsoenterthefollowingatthecommandprompt:
ndsmanage start --config-file configuration_file_of_the_instance_configured_by_you
Alternatively,youcanalsoenterthefollowingatthecommandprompt:
ndsmanage stop --config-file configuration_file_of_the_instance_configured_by_you
Deconfiguring an Instance
Todeconfigureaninstance,dothefollowing:
1 Enterthefollowing: ndsmanage 2 Selecttheinstanceyouwanttodeconfigure.
34
Tostartaspecificinstance,refertoStartingaSpecificInstanceonpage 33.
Tostopaspecificinstance,refertoStoppingaSpecificInstanceonpage 34.
Example
Marywantstoconfigure2treesonasinglehostmachine.
/home/maryinst1/nds.conf /home/mary/inst1/var
var directory
Instance2:
Port number the instance should listen on Configuration file path 2524
/home/mary/inst2/nds.conf /home/mary/inst2/var
var directory
Instance2:
ndsconfig new -t corptree -n o=novell -a cn=admin.o=company -b 2524 -D /home/mary/inst2/var --config-file /home/mary/inst2/nds.conf
35
or
ndstrace -h 164.99.146.109:1524
IfMarydoesnotspecifytheinstanceidentifiers,theutilitydisplaysalltheinstancesownedbyMary andpromptshertoselectaninstance.
TodisplayallinstancesownedbyJohn(usernameisjohn):
ndsmanage john
TodisplayallinstancesofallusersthatareusingaparticularinstallationofeDirectory:
ndsmanage -a
1.6.6
Using ndsconfig to Install a Linux Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallaLinuxserverintoaneDirectorytreethathascontainersusing dottednames(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonaLinuxserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a 'admin.novell.com' -t novell_tree -n 'OU=servers.O=novell.com'
36
1.6.7
Configuring NMAS
Bydefault,ndsconfigconfiguresNMAS.Youcanalsousenmasinstforthesame. ToconfigureNMASandcreateNMASobjectsineDirectory,enterthefollowingattheserverconsole commandline:
nmasinst -i admin.context tree_name
37
1.6.8
ToinstallNOVLsubag,completethefollowingprocedure: Enterthefollowingcommand:
rpm -ivh --nodeps NOVLsubag_rpm_file_name_with_path
Forexample:
rpm -ivh --nodeps novell-NOVLsubag-8.8.1-5.i386.rpm 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables. For32bit
export LD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib:custom_location/opt/novell/lib:/opt/novell/lib:/ opt/novell/eDirectory/lib:$LD_LIBRARY_PATH
For64bit
export LD_LIBRARY_PATH=custom_location/opt/novell/eDirectory/lib64:/opt/ novell/eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH
export MANPATH=/opt/novell/man:$MANPATH
38
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaSolarisserver: Section 2.1,SystemRequirements,onpage 39 Section 2.2,Prerequisites,onpage 40 Section 2.3,HardwareRequirements,onpage 41 Section 2.4,ForcingtheBacklinkProcesstoRun,onpage 42 Section 2.5,UpgradingeDirectory,onpage 42 Section 2.6,InstallingeDirectory,onpage 43
2.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: Solaris10onSunSPARC Fora64biteDirectoryinstallation: Solaris10onSunSPARC Solaris10Zones(SmallZoneandBigZone) NOTE:InstallationonSolaris10ZonesissupportedoneDirectory8.8SP5orlater.Regardlessof thetypeofazone,eithera32biteDirectoryora64biteDirectorycanbeinstalledineachofthe zonespresentinasystem.InazoneonlyonetypeofeDirectoryshouldbeinstalled. Updateyoursystemwiththefollowinglibumempatches: SunOS5.10:libumemlibrarypatchforSolaris10onSPARC PatchId12192102 NOTE:AlllatestrecommendedsetofpatchesareavailableontheMyOracleSupport*Web page(https://support.oracle.com).Ifyoudonotupdateyoursystemwiththelatestpatches beforeinstallingeDirectory,youwillgetthepatchadderror. eDirectoryalsorequiresthefollowing: Aminimumof512MBRAM 184MBofdiskspacefortheeDirectoryserver
39
43MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users
2.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsinTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446).YouarehighlyrecommendedtobackupeDirectorybeforeanyupgrades.
(Conditional)NICI2.7andeDirectory8.8supportkeysizesupto4096bits.Ifyouwanttousea
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8eDirectory8.8.Inaddition,every workstationusingthemanagementutilities,forexample,iManagerandConsoleOne,musthave NICI2.7installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 2.6.3,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 45.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 48.ThepackagecontainingNICI2.7isnamedNOVLniu0-2.7onSolaris.
SLPshouldbeinstalledandconfigured.
WitheDirectory8.8,SLPdoesnotgetinstalledaspartoftheeDirectoryinstallation. Ifyouarearootuser,youneedtoinstallandconfigureSLPbeforeproceedingwiththe eDirectoryinstallation. Ifyouareanonrootuser,SLPshouldbeinstalledandconfiguredbeforeyouproceedwiththe eDirectoryinstallation.AnonrootusercannotinstallSLP. FormoreinformationoninstallingSLP,refertoUsingSLPwitheDirectoryonpage 44.
EnabletheSolarishostformulticastrouting.
Tocheckifthehostisenabledformulticastrouting,enterthefollowingcommand:
/bin/netstat -nr
Thefollowingentryshouldbepresentintheroutingtable:
224.0.0.0 host_IP_address
Iftheentryisnotpresent,loginasroot,andenterthefollowingcommandtoenablemulticast routing:
route add -net 224.0.0.0 -net 224.0.0.0 netmask 240.0.0.0 hme0
Formoreinformationonmulticastandbroadcastroutes,refertotheOpenSLPWebsite(http:// www.openslp.org/doc/html/UsersGuide/Installation.html).
Ifyouhavemorethanoneserverinthetree,thetimeonallthenetworkserversshouldbe
synchronized. UseNetworkTimeProtocols(NTP)xntpdtosynchronizetime.
40
ToavailallthefunctionalityofeMBoxsuchasDSMerge,youneedtoinstallthelatestSolaris
patch12March2009orlater.
(Conditional)Ifyouareinstallingasecondaryserver,allthereplicasinthepartitionthatyou
installtheproductonshouldbeintheOnstate.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver. NOTE:Thisisrequiredforaddingthereplicawhenthereplicacountislessthan3. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadminofthetreebeforeaddingthe secondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis
524)inthefirewalltoallowthesecondaryserveraddition.Additionally,youcanenablethe followingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.
DuringeDirectoryupgrade,ifSecretStorehasnotalreadybeenconfiguredwiththeprevious
versions,oryoudonotwanttoconfigureSecretStore,usethe-m no_ssoptionwiththendsinstallutility.
2.3
Hardware Requirements
HardwarerequirementsdependonthespecificimplementationofeDirectory.Twofactorsincrease performance:morecachememoryandfasterprocessors.Forbestresults,cacheasmuchoftheDIB Setasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessor intensive,butitisI/Ointensive.
41
ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforSolaris.
Objects 100,000 1 million 10 million Processor Sun* Enterprise 220 Sun Enterprise 450 Sun Enterprise 4500 with multiple processors Memory 384 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
2.4
2.5
Upgrading eDirectory
IfyouhaveeDirectory8.5.xor8.6.x,youhavetofirstupgradetoeDirectory8.7xandthenupgradeto eDirectory8.8.
./nds-install
NOTE:UpgradeLUMto2.1.2ifanolderversionisinstalledonthesystem. AftertheupgradetoeDirectory8.8,thedefaultlocationoftheconfigurationfiles,datafiles,andlog filesarechangedto/etc/opt/novell/eDirectory/conf,/var/opt/novell/eDirectory/data, and/var/opt/novell/eDirectory/logrespectively. Thenewdirectory/var/opt/novell/eDirectory/datausesasymboliclinktothe/var/nds directory. Theoldconfigurationfile/etc/nds.confismigratedto/etc/opt/novell/eDirectory/conf directory.Theoldconfigurationfile /etc/nds.confisrenamedto/etc/nds.conf_pre88andthe oldlogfilesunder/var/ndsareretainedforreference. NOTE:Thendsconfig upgradecommandhastoberunafterndsinstall,ifupgradeoftheDIBfails andndsinstallaskstodoso.
42
NOTE:Healthcheckfailsduetotimesync.Toresolvethisissue,performatimesyncbetweenthe instances.Youcanignorethiswarningmessageduringupgrade.
2.5.1
2.5.2
2.6
Installing eDirectory
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonSolaris: Section 2.6.1,ServerHealthChecks,onpage 43 Section 2.6.2,UsingSLPwitheDirectory,onpage 44 Section 2.6.3,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 45 Section 2.6.4,NonrootUserInstallingeDirectory8.8,onpage 47 Section 2.6.5,InstallingeDirectory8.8onSolaris10Zones,onpage 50 Section 2.6.6,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 51 Section 2.6.7,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 53 Section 2.6.8,UsingndsconfigtoInstallaSolarisServerintoaTreewithDottedName Containers,onpage 53 Section 2.6.9,UsingthenmasinstUtilitytoConfigureNMAS,onpage 54 Section 2.6.10,NonrootuserSNMPconfiguration,onpage 55
2.6.1
43
2.6.2
Forexample,tosearchfortheserviceswhosesvcname-wsattributematchwiththevalue SAMPLE_TREE,enterthefollowingcommand:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==SAMPLE_TREE)/"
Ifyouhaveaserviceregisteredwithitssvcname-wsattributeasSAMPLE_TREE,thentheoutputwill besimilartothefollowing:
service:ndap.novell:///SAMPLE_TREE
44
2.6.3
ToinstalleDirectorycomponents,usethefollowingsyntax:
nds-install [-h] [-i] [-j] [-u]
-h -i -j
-m
-u
TheinstallationprogramproceedstoaddtheappropriateRPMsorpackagesintotheSolaris system.ThefollowingtableliststhepackagesinstalledforeacheDirectorycomponent.
45
NDSbase NDScommon NDSmasv NDSserv NDSimon NDSrepair NDSdexvnt NOVLsubag NOVLsnmp NOVLpkit NOVLpkis NOVLpkia NOVLembox NOVLlmgnt NOVLxis NLDAPsdk NLDAPbase NOVLsas NOVLntls NOVLnmas NOVLldif2dib NOVLncp
Administration Utilities
The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
2 Ifyouareprompted,enterthecompletepathtothelicensefile.
46
Exportthepathsinthecurrentshellasfollows:
. /opt/novell/eDirectory/bin/ndspath
2.6.4
Prerequisites
IfyouwanttoinstalleDirectoryusingthetarballandnotthendsinstallutility,ensurethatNICI
isinstalled.ForinformationoninstallingNICI,refertoInstallingNICIonpage 23.
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser.
47
WriterightstothedirectorywhereyouwanttoinstalleDirectory.
Ifyouareanonadministratoruser,ensurethatyouhavetheappropriaterightsasmentionedin theSection 2.2,Prerequisites,onpage 40section.
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages.
NOTE:Thereisnospacebetweenviandsudointhecommand.
3 Makeanentrywiththefollowinginformation: Username hostname=(root) NOPASSWD: /usr/sbin/pkgadd
Forexample,toenablejohntorun/usr/sbin/pkgaddasrootonthehostnamesol2,type thefollowing:
john sol-2=(root) NOPASSWD: /usr/sbin/pkgadd
Anonrootuser(john,intheexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand:
48
Forexample:
sudo pkgadd -d /home/build/Solaris/Solaris/setup/NOVLniu0.pkg NOVLniu0 2 Executethefollowingscript: sudo /var/opt/novell/nici/set_server_mode
NICIgetsinstalledintheservermode.
Installing eDirectory
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvf /tar_file_name 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables 32bit:export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LD_LIBRARY_PATH 64bit:export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/ eDirectory/lib/sparcv9:custom_location/eDirectory/opt/novell/eDirectory/lib/ sparcv9/nds-modules:custom_location/eDirectory/opt/novell/lib/sparcv9:/opt/novell/ lib/sparcv9:/opt/novell/eDirectory/lib/sparcv9:$LD_LIBRARY_PATH
export PATH=custom_location/eDirectory/opt/novell/eDirectory/ bin:custom_location/eDirectory/opt/novell/eDirectory/sbin:/opt/novell/ eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/ share/locale:$TEXTDOMAINDIR
Exportthepathsinthecurrentshellasfollows:
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
49
YoucanconfigureeDirectoryinanyofthefollowingways: Usethendsconfigutilityasfollows:
ndsconfig new -t treename -n server_context -a admin_FDN [-i] [-S server_name] [-d path_for_dib] [-m module] [e] [-L ldap_port] [-l SSL_port] [-o http_port] -O https_port] [-b port_to_bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
Forexample:
ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/ mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/ inst1/var --config-file /home/mary/inst1/nds.conf
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andarerunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 2.6.6,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 51. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
2.6.5
An Introduction to Zones
AzoneisavirtualinstanceofSolaris.Itisalsooneofthesoftwarepartitionsoftheoperatingsystem. AlargeSunFireserverwithhardwaredomainsallowsthecreationofseveralisolatedsystems.Itis easytomoveindividualCPUsbetweenthezonesasneeded,ortoconfigurethesharingofCPUsand memory.
Types of Zones
Therearetwotypesofzones,aglobalzoneandanonglobalzone.
50
Global Zone
TheglobalzoneistheoriginalSolarisOSinstance,whichhasaccesstothephysicalhardwareandcan controlalltheprocesses.Globalzonescreatenonglobalzonesthatareauthorizedtocreateand controlnewzonesinwhichtheapplicationsrun.
Non-Global Zone
Anonglobalzoneisalignedwiththeglobalzones,butdoesnotruninsidethem.Globalzonescan monitortheconfigurationofthenonglobalzonesandcontrolthem.Youcanchoosetwogeneral nonglobalzonetypesduringthezonecreation,aSmallZoneandaBigZone.
2.6.6
Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server
YoumusthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwith arguments,itvalidatesallargumentsandpromptsforthepasswordoftheuserhaving Administratorrights.Iftheutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionofthe
51
Anewtreeisinstalledwiththespecifiedtreenameandcontext. Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for dib] [-m module] [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port] [-D custom_location] [--config-file configuration_file]
Aserverisaddedtoanexistingtreeinthespecifiedcontext.Ifthecontextthattheuserwantstoadd theServerobjecttodoesnotexist,ndsconfigcreatesthecontextandaddstheserver.
52
2.6.7
2.6.8
Using ndsconfig to Install a Solaris Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallaSolarisserverintoaneDirectorytreethathascontainersusing dottednames(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonaSolarisserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a admin.novell\.com -t novell_tree -n OU=servers.O=novell\.com
53
NOTE:Youshouldusethisformatwhenenteringdottedadminnameandcontextwhileusing utilitiessuchasDSRepair,Backup,DSMerge,DSLogin,andldapconfig.
2.6.9
Configuring NMAS
Bydefault,ndsconfigconfiguresNMAS.Youcanalsousenmasinstforthesame. ToconfigureNMASandcreateNMASobjectsineDirectory,enterthefollowingattheserverconsole commandline:
nmasinst -i admin.context tree_name
Iftheloginmethodalreadyexists,nmasinstwillupdateit.
54
2.6.10
export MANPATH=/opt/novell/man:$MANPATH
55
56
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onanAIXserver: Section 3.1,SystemRequirements,onpage 57 Section 3.2,Prerequisites,onpage 57 Section 3.3,HardwareRequirements,onpage 59 Section 3.4,ForcingtheBacklinkProcesstoRun,onpage 59 Section 3.5,UpgradingeDirectory,onpage 60 Section 3.6,InstallingeDirectory,onpage 60
3.1
System Requirements
YoucaninstalleDirectory8.8SP7(32bitinstallationonly)onserversrunningAIXVersion6.1.x. eDirectoryalsorequiresthefollowing: AllrecommendedAIXOSpatches,availableattheIBM*FixCentral(http://www933.ibm.com/ support/fixcentral/)Website Aminimumof512MBRAM 215MBofdiskspacefortheeDirectoryserver 38MBofdiskspacefortheeDirectoryadministrationutilities 150MBofdiskspaceforevery50,000users
3.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsintheTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446).YouarehighlyrecommendedtobackupeDirectorybeforeanyupgrades.
EnabletheAIXhostformulticastrouting.
Seeifthemulticastroutingdaemonmroutedisrunning. Ifitisnotrunning,configureandstartthemulticastdaemonmrouted. Seethemrouted.confFilesectionintheFilesReferencebookontheAIXDocumentationWeb site(http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix.htm)foranexample configurationfile.
57
(Conditional)NICI2.7andeDirectory8.8supportkeysizesupto4096bits.Ifyouwanttousea
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8.Inaddition,everyworkstation usingthemanagementutilities,forexample,iManagerandConsoleOne,musthaveNICI2.7 installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. WhenyouinstalleDirectory,thendsinstallutilityautomaticallyinstallsNICI.Formore informationaboutinstallingeDirectory,seeSection 3.6.3,UsingthendsinstallUtilitytoInstall eDirectoryComponents,onpage 62.However,ifyouneedtoinstallonlyNICI,andnot eDirectoryitself,onaworkstationthathasthemanagementutilitiesinstalled,youmustinstall NICImanually.FormoreinformationaboutmanuallyinstallingNICI,seeInstallingNICIon page 65.ThepackagecontainingNICI2.7isnamedNOVLniu0-2.7onAIX.
Ifyouhavemorethanoneserverinthetree,thetimeonallthenetworkserversshouldbe
synchronized. UseNetworkTimeProtocols(NTP)xntpd.nlmtosynchronizetime.
(Conditional)Ifyouareinstallingasecondaryserver,allthereplicasinthepartitionthatyou
installtheproductonshouldbeintheOnstate.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver. NOTE:Thisisrequiredforaddingthereplicawhenthereplicacountislessthan3. AllAttributesrights:read,compare,andwriterightsovertheW0.KAP.Securityobject. Entryrights:browserightsoverSecuritycontainerobject. AllAttributesrights:readandcomparerightsoverSecuritycontainerobject.
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadminofthetreebeforeaddingthe secondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis
524)inthefirewalltoallowthesecondaryserveraddition.Additionally,youcanenablethe followingserviceportsbasedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Incase,ifyouhaveenableduserdefinedports,youmustmentiontheseportswhileconfiguring eDirectory.
DuringeDirectoryupgrade,ifSecretStorehasnotalreadybeenconfiguredwiththeprevious
versions,oryoudonotwanttoconfigureSecretStore,usethe-m no_ssoptionwiththendsinstallutility.
58
3.3
Hardware Requirements
HardwarerequirementsdependonthespecificimplementationofeDirectory. Forexample,abaseinstallationofNovelleDirectorywiththestandardschemarequiresabout74MB ofdiskspaceforevery50,000users.However,ifyouaddanewsetofattributesorcompletelyfillin everyexistingattribute,theobjectsizegrows.Theseadditionsaffectthediskspace,processor,and memoryneeded. Twofactorsincreaseperformance:morecachememoryandfasterprocessors. Forbestresults,cacheasmuchoftheDIBSetasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,eDirectory8.8takesadvantageofmultiple processors.Addingprocessorsimprovesperformanceinsomeareasforexample,loginsand havingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessorintensive,but itisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforAIX.
Objects 100,000 1 Million 10 Million Processor RS/6000 RS/6000 RS/6000 Memory 344 MB 2 GB 2+ GB Hard Disk 144 MB 1.5 GB 15 GB
3.4
59
3.5
Upgrading eDirectory
ToupgradetoeDirectory8.8fromeDirectory8.7,8.7.1,or8.7.3,enterthefollowing:
./nds-install
AftertheupgradetoeDirectory8.8,thedefaultlocationoftheconfigurationfiles,datafiles,andlog filesarechangedto/etc/opt/novell/eDirectory/conf,/var/opt/novell/eDirectory/data, and/var/opt/novell/eDirectory/logrespectively. Thenewdirectory/var/opt/novell/eDirectory/datausesasymboliclinktothe/var/nds directory. Theoldconfigurationfile/etc/nds.conf ismigratedto/etc/opt/novell/eDirectory/conf directory.Theoldconfigurationfile/etc/nds.confisrenamedto /etc/nds.conf_pre88andthe oldlogfilesunder/var/ndsareretainedforreference. NOTE:Thendsconfig upgradecommandhastoberunafterndsinstall,ifupgradeoftheDIBfails andndsinstallaskstodoso. NOTE:Healthcheckfailsduetotimesync.Toresolvethisissue,performatimesyncbetweenthe instances.Youcanignorethiswarningmessageduringupgrade.
3.5.1
3.5.2
3.6
Installing eDirectory
ThefollowingsectionsprovideinformationaboutinstallingNovelleDirectoryonAIX: Section 3.6.1,ServerHealthChecks,onpage 61 Section 3.6.2,UsingSLPwitheDirectory,onpage 61 Section 3.6.3,UsingthendsinstallUtilitytoInstalleDirectoryComponents,onpage 62 Section 3.6.4,NonrootUserInstallingeDirectory8.8,onpage 64 Section 3.6.5,UsingthendsconfigUtilitytoAddorRemovetheeDirectoryReplicaServer,on page 67 Section 3.6.6,UsingndsconfigtoConfigureMultipleInstancesofeDirectory8.8,onpage 69 Section 3.6.7,UsingndsconfigtoInstallanAIXServerintoaTreewithDottedName Containers,onpage 69 Section 3.6.8,UsingthenmasinstUtilitytoConfigureNMAS,onpage 69 Section 3.6.9,NonrootuserSNMPconfiguration,onpage 70
60
3.6.1
3.6.2
TheSLPfilesetispresentinthesetupdirectoryinthebuild.Forexample,ifyouhavethebuild inthe/home/builddirectory,enterthefollowingcommand:
installp -acgXd /home/build/Aix/Aix/setup/NDS.NDSslp 2 FollowtheonscreeninstructionstocompletetheSLPinstallation. 3 StartSLP.
IfyoudecidetouseSLPtoresolvethetreenametodetermineiftheeDirectorytreeisadvertised, aftereDirectoryandSLPareinstalled,enterthefollowing:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==[treename or *])"
61
Forexample,tosearchfortheserviceswhosesvcname-wsattributematchwiththevalue SAMPLE_TREE,enterthefollowingcommand:
/usr/bin/slpinfo -s "ndap.novell///(svcname-ws==SAMPLE_TREE)/"
Ifyouhaveaserviceregisteredwithitssvcname-wsattributeasSAMPLE_TREE,thentheoutputwill besimilartothefollowing:
service:ndap.novell:///SAMPLE_TREE
3.6.3
ToinstalleDirectorycomponents,usethefollowingsyntax:
nds-install [-h] [-i] [-j] [-u]
-h -i -j
-m
-u
Theinstallationprograminstallsthefollowingdepots:
62
Packages Installed
NDSbase NDScommon NDSmasv NDSserv NDSimon NDSrepair NDSdexvnt NOVLsubag NOVLsnmp NOVLpkit NOVLpkis NOVLpkia NOVLembox NOVLlmgnt NOVLxis NLDAPsdk NLDAPbase NOVLsas NOVLntls NOVLnmas
NOVLldif2 NOVLncp
Administration Utilities
The Novell Import Conversion Export and LDAP Tools administration utilities are installed on the specified workstation.
2 Ifyouareprompted,enterthecompletepathtothelicensefile.
63
exportthemasfollows: Manuallyexporttheenvironmentvariables
export LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/ lib/nds-modules:/opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/ lib:$LD_LIBRARY_PATH export LIBPATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/ opt/novell/lib:/opt/novell/lib:/opt/novell/eDirectory/lib:$LIBPATH export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale:$TEXTDOMAINDIR
Exportthepathsinthecurrentshellasfollows:
. /opt/novell/eDirectory/bin/ndspath
3.6.4
Prerequisites
IfyouwanttoinstalleDirectoryusingthetarballandnotthendsinstallutility,ensurethatNICI
isinstalled.ForinformationoninstallingNICI,refertoInstallingNICIonpage 65.
IfyouwanttouseSLPandSNMP,ensurethattheyareinstalledbytherootuser. WriterightstothedirectorywhereyouwanttoinstalleDirectory.
Ifyouareanonadministratoruser,ensurethatyouhavetheappropriaterightsasmentionedin theSection 3.2,Prerequisites,onpage 57section.
64
Installing NICI
NICIshouldbeinstalledbeforeyouproceedwiththeeDirectoryinstallation.Becausetherequired NICIpackagesareusedsystemwide,werecommendyouusetherootusertoinstallthenecessary packages.However,ifnecessaryyoucandelegateaccesstoadifferentaccountusingsudoanduse thataccounttoinstalltheNICIpackages.
Forexample:
installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0
NOTE:Thereisnospacebetweenviandsudointhecommand. Makeanentrywiththefollowinginformation:
Username hostname=(root) NOPASSWD: /usr/sbin/installp
Forexample,toenablejohntorun/bin/rpmasrootonthehostnameaix2,typethe following:
john aix-2=(root) NOPASSWD: /usr/sbin/installp
Anonrootuser(john,intheexample)needstodothefollowingtoinstallNICI:
1 Loginasjohnandexecutethefollowingcommand: sudo installp -acgXd absolute_path_of_the_NICI_fileset NOVLniu0
Forexample:
sudo installp -acgXd /home/build/AIX/AIX/setup/NOVLniu0.2.7.0.0 NOVLniu0 2 Executethefollowingscript: sudo /var/opt/novell/nici/set_server_mode
NICIgetsinstalledintheservermode.
65
Installing eDirectory
1 GotothedirectorywhereyouwanttoinstalleDirectory. 2 Untarthetarfileasfollows: tar xvfp /tar_file_name 3 Exportthepathsasfollows:
Manuallyexporttheenvironmentvariables
export LD_LIBRARY_PATH=custom_location/eDirectory/opt/novell/eDirectory/ lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LD_LIBRARY_PATH export LIBPATH=custom_location/eDirectory/opt/novell/eDirectory/ lib:custom_location/eDirectory/opt/novell/eDirectory/lib/ndsmodules:custom_location/eDirectory/opt/novell/lib:/opt/novell/lib:/opt/novell/ eDirectory/lib:$LIBPATH export PATH=custom_location/eDirectory/opt/novell/eDirectory/bin:custom_location/ eDirectory/opt/novell/eDirectory/sbin:/opt/novell/eDirectory/bin:$PATH export MANPATH=custom_location/eDirectory/opt/novell/man:custom_location/ eDirectory/opt/novell/eDirectory/man:$MANPATH export TEXTDOMAINDIR=custom_location/eDirectory/opt/novell/eDirectory/share/ locale:$TEXTDOMAINDIR
Gotothecustom_location/eDirectory/opt/novell/eDirectory/bin/directory andexportthepathsinthecurrentshellasfollows:
. custom_location/eDirectory/opt/novell/eDirectory/bin/ndspath
YoucanconfigureeDirectoryinanyofthefollowingways: Usethendsconfigutilityasfollows:
ndsconfig new -t treename -n server_context -a admin_FDN [-i] [-S server_name] [-d path_for_] [-m module] [e] [-L ldap_port] [-l SSL_port] [o http_port] -O https_port] [-b port_to_bind] [-B interface1@port1, interface2@port2,..] [-D custom_location] [--config-file configuration_file]
Forexample:
66
ndsconfig new -t mary-tree -n novell -a admin.novell -S linux1 -d /home/ mary/inst1/data -b 1025 -L 1026 -l 1027 -o 1028 -O 1029 -D /home/mary/ inst1/var --config-file /home/mary/inst1/nds.conf
Theportnumbersyouenterneedtobeintherange1024to65535.Portnumberslesserthan 1024arenormallyreservedforthesuperuserandstandardapplications.Therefore,you cannotassumethedefaultport524foranyeDirectoryapplications. Thismightcausethefollowingapplicationstobreak: Theapplicationsthatdonthaveanoptiontospecifythetargetserverport. TheolderapplicationsthatuseNCP,andarerunasrootfor524. Usethendsmanageutilitytoconfigureanewinstance.Formoreinformation,refertothe CreatinganInstancethroughndsmanageonpage 32. Followtheonscreeninstructionstocompletetheconfiguration. Formoreinformation,seeSection 3.6.5,UsingthendsconfigUtilitytoAddorRemovethe eDirectoryReplicaServer,onpage 67. NOTE:AfteryouinstalleDirectory,werecommendyouexcludetheDIBdirectoryonyour eDirectoryserverfromanyantivirusorbackupsoftwareprocesses.UsetheeDirectoryBackupTool tobackupyourDIBdirectory. FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
3.6.5
Using the ndsconfig Utility to Add or Remove the eDirectory Replica Server
YoumusthaveAdministratorrightstousethendsconfigutility.Whenthisutilityisusedwith arguments,itvalidatesallargumentsandpromptsforthepasswordoftheuserhaving Administratorrights.Iftheutilityisusedwithoutarguments,ndsconfigdisplaysadescriptionofthe utilityandavailableoptions.ThisutilitycanalsobeusedtoremovetheeDirectoryReplicaServer andchangethecurrentconfigurationofeDirectoryServer.Formoreinformation,seeThendsconfig Utilityonpage 101.
Anewtreeisinstalledwiththespecifiedtreenameandcontext.
67
Thereisalimitationonthenumberofcharactersinthetree_name,admin FDNandserver FDN variables.Themaximumnumberofcharactersallowedforthesevariablesisasfollows: tree_name:32characters admin FDN:255characters server FDN:255characters Iftheparametersarenotspecifiedinthecommandline,ndsconfigpromptsyoutoentervaluesfor eachofthemissingparameters. Or,youcanalsousethefollowingsyntax:
ndsconfig def -t treename -n server context -a admin FDN [-i] [-S server name] [-d path for ] [-m module] [-e] [-L ldap port] [-l SSL port] [-o http port] -O https port]
68
3.6.6
3.6.7
Using ndsconfig to Install an AIX Server into a Tree with Dotted Name Containers
YoucanusendsconfigtoinstallanAIXserverintoaneDirectorytreethathascontainersusingdotted names(forexample,novell.com). Becausendsconfigisacommandlineutility,usingcontainerswithdottednamesrequiresthatthose dotsbeescapedout,andtheparameterscontainingthesecontextsmustbeenclosedindouble quotes.Forexample,toinstallaneweDirectorytreeonanAIXserverusingO=novell.comasthe nameoftheO,usethefollowingcommand:
ndsconfig new -a admin.novell\.com -t novell_tree -n OU=servers.O=novell\.com
3.6.8
Configuring NMAS
Bydefault,ndsconfigconfiguresNMAS.Youcanalsousenmasinstforthesame. ToconfigureNMASandcreateNMASobjectsineDirectory,enterthefollowingattheserverconsole commandline:
nmasinst -i admin.context tree_name
69
3.6.9
Manuallyexporttheenvironmentvariables.
export LD_LIBRARY_PATH=custom_location/opt/novell/ eDirectory/lib:custom_location/opt/novell/lib:/opt/novell/lib:/ opt/novell/eDirectory/lib:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH export MANPATH=/opt/novell/:$MANPATH
70
UsethefollowinginformationtoinstallorupgradeNovelleDirectory8.8onaWindowsplatform: Section 4.1,SystemRequirements,onpage 71 Section 4.2,Prerequisites,onpage 72 Section 4.3,HardwareRequirements,onpage 73 Section 4.4,ForcingtheBacklinkProcesstoRun,onpage 74 Section 4.5,DiskSpaceCheckonUpgradingtoeDirectorySP7orlater,onpage 74 Section 4.6,InstallingNovelleDirectoryonWindows,onpage 75 IMPORTANT:NovelleDirectory8.8letsyouinstalleDirectoryforWindowswithouttheNovell Client.IfyouinstalleDirectory8.8onamachinealreadycontainingtheNovellClient,eDirectorywill usetheexistingClient.Formoreinformation,seeInstallingorUpdatingNovelleDirectory8.8ona WindowsServeronpage 75.
4.1
System Requirements
YoumustinstalleDirectoryononeofthefollowingplatforms. Fora32biteDirectoryinstallation: 32bitWindowsServer2003EnterpriseEditionwithlatestServicePack 32bitWindowsServer2008(Standard/Enterprise/DataCenterEdition) Fora64biteDirectoryinstallation: 64bitWindowsServer2008(Standard/Enterprise/DataCenterEdition) WindowsServer2008R2(Standard/Enterprise/DataCenterEdition) IMPORTANT YoumustuseanaccountthathasadministrativerightstoinstalleDirectory8.8SP7onWindows Server2008R2. YoushouldapplythelatestavailablepatchforeDirectory. WindowsXPisnotasupportedeDirectory8.8platform. eDirectoryalsorequiresthefollowing: AnassignedIPaddress
71
4.2
Prerequisites
IMPORTANT:CheckthecurrentlyinstalledNovellandThirdPartyapplicationstodetermineif eDirectory8.8issupportedbeforeupgradingyourexistingeDirectoryenvironment.Youcanfindout thecurrentstatusforNovellproductsintheTID7003446(http://www.novell.com/support/kb/ doc.php?id=7003446)ItisalsohighlyrecommendedtobackupeDirectorypriortoanyupgrades.
BecauseNTFSprovidesasafertransactionprocessthanaFATfilesystemprovides,youcan
installeDirectoryonlyonanNTFSpartition.Therefore,ifyouhaveonlyFATfilesystems,do oneofthefollowing: CreateanewpartitionandformatitasNTFS. UseDiskAdministrator.RefertotheWindowsServerdocumentationformoreinformation. ConvertanexistingFATfilesystemtoNTFS,usingtheCONVERTcommand. RefertotheWindowsServerdocumentationformoreinformation. IfyourserveronlyhasaFATfilesystemandyouforgetoroverlookthisprocess,theinstallation programpromptsyoutoprovideanNTFSpartition.
(Conditional)NICI2.7andeDirectory8.8supportkeysizesupto4096bits.Ifyouwanttousea
4KBkeysize,everyservermustbeupgradedtoeDirectory8.8.Inaddition,everyworkstation usingthemanagementutilities,forexample,iManagerandConsoleOne,musthaveNICI2.7 installedonit. WhenyouupgradeyourCertificateAuthority(CA)servertoeDirectory8.8,thekeysizewillnot changebutwillstillbe2KB.Theonlywaytocreatea4KBkeysizeisrecreatetheCAonan eDirectory8.8server.Inaddition,youwouldhavetochangethedefaultfrom2KBto4KBfor thekeysize,duringtheCAcreation. NOTE:TheWindowsSilentInstallerrequiresNICIinstalledonthesystem.
IfyouareupgradingtoeDirectory8.8,makesureyouhavethelatesteDirectorypatches
installedonallnoneDirectory8.8serversinthetree.YoucangeteDirectorypatchesfromthe NovellSupport(http://support.novell.com)Website.
MakesureyouhavethelatestWindows2003or2008ServerServicePacksinstalled.Thelatest
updatedWindowsServicePackneedstobeinstalledaftertheinstallationoftheWindows SNMPservice.
IfyouareupgradingfromapreviousversionofeDirectory,itmustbeeDirectory8.7.3orlater. (Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatyouhavethefollowingrights: Supervisorrightstothecontainertheserverisbeinginstalledinto. Supervisorrightstothepartitionwhereyouwanttoaddtheserver.
72
(Conditional)Ifyouareinstallingasecondaryserverintoanexistingtreeasanonadministrator
user,ensurethatatleastoneoftheserversinthetreehasthesameorhighereDirectoryversion asthatofthesecondarybeingaddedascontaineradmin.Incasethesecondarybeingaddedisof laterversion,thentheschemaneedstobeextendedbytheadminofthetreebeforeaddingthe secondaryusingcontaineradmin.
WhileconfiguringeDirectory,youmustenableSLPservicesandanNCPport(thedefaultis524)
inthefirewalltoallowthesecondaryserveraddition.TheNCPportmustbeconfiguredtoallow bothinboundandoutboundtraffic. Additionally,youcanenablethefollowingserviceports,basedonyourrequirements: LDAPcleartext389 LDAPsecured636 HTTPcleartext8028 HTTPsecured8030 Ifyouhaveenableduserdefinedports,youmustspecifytheseportswhileconfiguring eDirectory.
IfyouareinstallingeDirectoryonavirtualmachinehavingaDHCPaddressoronaphysicalor
virtualmachineinwhichSLPisnotbroadcast,ensurethattheDirectoryAgentisconfiguredin yournetwork.
4.3
Hardware Requirements
HardwarerequirementsdependonthespecificimplementationofeDirectory. Forexample,abaseinstallationofeDirectorywiththestandardschemarequiresabout74MBofdisk spaceforevery50,000users.However,ifyouaddanewsetofattributesorcompletelyfillinevery existingattribute,theobjectsizegrows.Theseadditionsaffectthediskspace,processor,andmemory needed. Twofactorsincreaseperformance:morecachememoryandfasterprocessors. Forbestresults,cacheasmuchoftheDIBSetasthehardwareallows. eDirectoryscaleswellonasingleprocessor.However,NovelleDirectory8.8takesadvantageof multipleprocessors.Addingprocessorsimprovesperformanceinsomeareasforexample,logins andhavingmultiplethreadsactiveonmultipleprocessors.eDirectoryitselfisnotprocessor intensive,butitisI/Ointensive. ThefollowingtableillustratestypicalsystemrequirementsforNovelleDirectoryforWindows:
73
Memory 384 MB 2 GB 2+ GB
4.4
Formoreinformationaboutthebacklinkprocess,seeUnderstandingWANTrafficManagerinthe NovelleDirectory8.8SP7AdministrationGuide.
4.5
74
4.6
4.6.1
file.
4 ClickInstall.
TheinstallationprogramchecksforthefollowingcomponentsbeforeitinstallseDirectory.Ifa componentismissingorisanincorrectversion,theinstallationprogramautomaticallylaunches aninstallationforthatcomponent. NICI2.7 FormoreinformationontheNovellInternationalCryptographicInfrastructure(NICI),see theNovellInternationalCryptographicInfrastructure2.7AdministrationGuide(http:// www.novell.com/documentation/nici27x/index.html). YoumighthavetoreboottheserveraftertheNICIinstallation.Iftheinstallerdisplaysa messagesayingthatyouneedtorebootyourserverbeforecontinuing,clickOKtoreboot. TheeDirectoryinstallationwillcontinueafterthereboot. NovellClientforWindows IMPORTANT:TheNovellClientisupdatedautomaticallyifyouhaveanolderversionof theClientalreadyinstalledonthemachine.FormoreinformationontheClient,seethe NovellClientforWindows(http://www.novell.com/documentation/lg/noclienu/ index.html)onlinedocumentation.
5 ClickNext. 6 Viewthelicenseagreement,thenclickIAccept.
75
you,clickYes.
10 SpecifyorconfirmtheDIBpath,thenclickNext. 11 IftheDIBfolderdoesnotalreadyexist,andyouwanttheinstallertocreatethefolderforyou,
clickYes.
12 (Newinstallationsonly)SelectaneDirectoryinstallationtype,thenclickNext.
IfyouareinstallinganeweDirectoryserver,specifyaTreename,Serverobjectcontext,and Adminnameandpasswordforthenewtree. Ifyouareinstallingintoanexistingtree,specifytheTreename,Serverobjectcontext,and Adminnameandpasswordoftheexistingtree. IfyouareupgradinganeDirectoryserver,specifytheAdminpassword. NOTE:IneDirectory8.8andlater,youcanhavecasesensitivepasswordsforallthe utilities.RefertotheNovelleDirectory8.8.SP7WhatsNewGuide(http://www.novell.com/ documentation/edir88/edir88new/data/front.html)formoreinformation. Forinformationonusingdotsincontainernames,seeInstallingintoaTreewithDottedName Containersonpage 80.
14 (Newinstallationsonly)IntheHTTPServerPortConfigurationpage,specifytheportstousefor
isselected.
17 SelecttheNMASloginmethodsyouwanttoinstall.
76
FormoreinformationaboutbackingupeDirectory,seeBackingUpandRestoringNovell eDirectory,intheNovelleDirectory8.8SP7AdministrationGuide.
4.6.2
4.6.3
77
78
Aconnectiontoport636automaticallyinstantiatesahandshake.Ifthehandshakefails,the connectionisdenied. IMPORTANT:ThisdefaultselectionmightcauseaproblemforyourLDAPserver.Ifaservice alreadyloadedonthehostserver(beforeeDirectorywasinstalled)usesport636,youmustspecify anotherport. InstallationsearlierthaneDirectory8.7treatedthisconflictasafatalerrorandunloadednldap.nlm. TheeDirectory8.7.3onwardsinstallationloadsnldap.nlm,placesanerrormessageinthe dstrace.logfile,andrunswithoutthesecureport. Scenario:Port636IsAlreadyUsed:YourserverisrunningActiveDirectory*.ActiveDirectoryis runninganLDAPprogram,whichusesport636.YouinstalleDirectory.Theinstallationprogram detectsthatport636isalreadyusedanddoesntassignaportnumberfortheNovellLDAPserver. TheLDAPserverloadsandappearstorun.However,becausetheLDAPserverdoesnotduplicateor useaportthatisalreadyopen,theLDAPserverdoesnotservicerequestsonanyduplicatedport. Ifyouarenotcertainthatport389or636isassignedtotheNovellLDAPserver,runtheICEutility.If theVendorVersionfielddoesnotspecifyNovell,youmustreconfigureLDAPServerforeDirectory andselectadifferentport.Formoreinformation,seeVerifyingThattheLDAPServerIsRunningin theNovelleDirectory8.8SP7AdministrationGuide. Scenario:ActiveDirectoryIsRunning:ActiveDirectoryisrunning.Cleartextport389isopen.You runtheICEcommandtoport389andaskforthevendorversion.ThereportdisplaysMicrosoft*. YouthenreconfiguretheNovellLDAPserverbyselectinganotherport,sothattheeDirectoryLDAP servercanserviceLDAPrequests. NovelliMonitorcanalsoreportthatport389or636isalreadyopen.IftheLDAPserverisntworking, useNovelliMonitortoidentifydetails.Formoreinformation,seeVerifyingThattheLDAPServerIs RunningintheNovelleDirectory8.8SP7AdministrationGuide.
79
4.6.4
4.6.5
Optionally,youcanselecttheNICIcheckboxifyouwanttoinstallthiscomponent.
4 ClickOK,thenfollowtheonscreeninstructions. 5 Reboottheclientworkstationaftertheinstallationcompletes.
4.6.6
80
81
4.6.7
Prerequisites
EnsureMicrosoftVisualC++2005RuntimeLibrariesareinstalled.Installthemmanuallyfrom: 32bit:vcredist_x86.exe,locatedateDirectory\nt\i386\redist_pkg 64bit:vcredist_x86.exeandvcredist_x64.exelocatedateDirectory\nt\x64\redist_pkg EnsureNICIisinstalled: 32bit:eDirectory/Windows/x64/nici/wcniciu0.exe 64bit:eDirectory/Windows/x64/nici/wcniciu0.exe Settoprogrammode: RunWindows/SysWOW64/novell/nici/set_server_mode.bat Thefollowingsectionsdiscussvariousfeaturesthatcanbeusedtoconfiguretheunattended installation,includingtheinstalllocation,nodisplayofsplashscreens,portconfigurations, additionalNMASmethods,stoppingandstartingSNMPservices,etc. ResponseFilesonpage 82 AddingFeaturestotheAutomatedInstallationonpage 83 ControllingAutomatedInstallationonpage 88 UnattendedInstallationofeDirectoryusingResponseFileonpage 91
Response Files
InstallingorupgradingtoeDirectory8.8SP7onWindowsoperatingsystemcanbemadesilentand moreflexiblebyusingaresponsefileforthefollowing: Completeunattendedinstallationwithallrequireduserinputs Defaultconfigurationofcomponents Bypassingallpromptsduringtheinstallation
82
Installation Syntax
Youcanalsousearesponsefilefortwoscenariosinanupgrade: Toprovidethevaluesofthetreeparametersandtoconfigureanunattendedinstallation. Toinputvaluesduringanupgrade. IMPORTANT:Youprovidetheadministratorusercredentialsintheresponse.nifileforan unattendedinstallation.Therefore,youshouldpermanentlydeletethefileaftertheinstallationto preventtheadministratorcredentialsfrombeingcompromised.
83
mode:ThetypeofsetuponeDirectory.Thethreetypesofsetupare: install:PerformsinstallationofeDirectoryoranupgradeoftherequiredfiles. configure:ConfigureseDirectory.Ifyouonlyperformanupgradeoftherequiredfiles,then theinstalleronlyconfigurestheupgradedfiles. full:PerformsbothinstallationandconfigurationofeDirectory.Thistypeofinstallationcan eitherbeinstallationandconfigurationofeDirectoryoranupgradeandconfigurationof onlytherequiredfiles. Bydefault,themodekeyissettofull. NOTE:Ifyouoptforthefullsetupmode,thenwhileuninstallingeDirectoryyoucannotoptfor individualdeconfigurationanduninstallationoption. TreeName:Foraprimaryserverinstallation,thisisthenameofthetreethatneedstoinstalled. Forasecondaryserverinstallation,thisisthetreetowhichthisservermustbeadded. ServerName:Thenameoftheserverthatisbeinginstalled. ServerContainer:Anyserveraddedtoatreehasaserverobjectcontainingalltheconfiguration detailsspecifictotheserver.Thisparameteristhecontainerobjectinthetreetowhichtheserver objectwillbeadded.Forprimaryserverinstallations,thiscontainerwillbecreatedwiththe serverobject. AdminLoginName:Thename(RDN)oftheAdministratorobjectinthetreethathasfullrights, atleasttothecontexttowhichthisserverisadded.Alloperationsinthetreewillbeperformed asthisuser. AdminContext:Anyuseraddedtoatreehasauserobjectthatcontainsalltheuserspecific details.ThisparameteristhecontainerobjectinthetreetowhichtheAdministratorobjectwill beadded.Forprimaryserverinstallations,thiscontainerwillbecreatedwiththeserverobject. Adminpassword:ThepasswordfortheAdministratorobjectcreatedintheprevious parameters.ThispasswordwillbeconfiguredtotheAdministratorobjectduringprimaryserver installations.Forsecondaryserverinstallations,thisneedstobethepasswordofthe Administratorobjectintheprimaryserverthathasrightstothecontexttowhichthenewserver isadded. NDSLocation:TheeDirectoryinstalllocationinthelocalsystemwherethelibrariesand binariesarecopied.Bydefault,eDirectoryisinstalledintoC:\Novell\NDSunlessitischanged intheresponsefile. DataDir:UntileDirectoryversion8.8,theDIBwasinstalledinsidetheNDSlocationasa subfolder.Later,administratorsweregiventheoptiontoprovideadifferentDIBlocation, becausetheremightbetoomuchdatastoredintheDIBtofitintotheNDSlocation.Currently, bydefaulttheDIBisinstalledintheFilessubfolderinsidetheNDSlocation,butadministrators canchangethisparameterandprovideadifferentlocation. Thefollowingisasampleoftextintheresponsefileforallthebasicparametersdescribedabove:
[NWI:NDS] Upgrade Mode=copy Tree Name=SLP-TEST Server Name=NDS-LDAP-P2-NDS Server Container=Novell Server Context=NDS-LDAP-P2-NDS.Novell Admin Context=Novell Admin Login Name=Admin
84
Thefollowingscreenappearswhentheservercollectstheaboveparametersfromtheresponsefile.
Figure 4-5 InstallingeDirectory
85
Method Name CertMutual Challenge Response DIGEST-MD5 GSSAPI NDS Simple Password
Method Type Certificate mutual login method The Novell challenge response NMAS method Digest MD5 login method SASL GSSAPI mechanism for eDirectory. Authentication to eDirectory through LDAP using a Kerberos ticker NDS login method (default) Simple password NMAS login method
ThefollowingissampletextintheresponsefileforchoosingtheNMASmethods:
[NWI:NMAS] Choices=12 Methods=X509 Advanced Certificate,CertMutual,Challenge Response,DIGESTMD5,Enhanced Password,Entrust,GSSAPI,NDS,NDS Change Password,Simple Password,Universal Smart Card,X509 Certificate
HTTP Ports
eDirectorylistensonpreconfiguredHTTPportsforaccessthroughtheWeb.Forexample,iMonitor accesseseDirectorythroughWebinterfaces.Theyneedtospecifycertaininordertoaccessthe appropriateapplications.Therearetwokeysthatcanbesetpriortoinstallationtoconfigure eDirectoryonspecificports: ClearTextHTTPPort:TheportnumberfortheHTTPoperationsincleartext. SSLHTTPPort:HTTPportnumberforoperationsonthesecuresocketlayer. ThefollowingissampletextintheresponsefileforconfiguringHTTPportnumbers:
[eDir:HTTP] Clear Text HTTP Port=8028
86
LDAP Configuration
eDirectorysupportsLDAPoperations.ItlistensforLDAPrequestsincleartextandSSL,ontwo differentports.Theseportscanbeconfiguredintheresponsefilepriortoinstallationsothatwhen eDirectoryisstarted,itlistensontheseconfiguredports. Therearethreekeysinthe[NWI:NDS]tagthatconfiguretheLDAPports: LDAPTLSPort:TheportonwhicheDirectoryshouldlistenforLDAPrequestsincleartext. LDAPSSLPort:TheportonwhicheDirectoryshouldlistenforLDAPrequestsinSSL.Youcan alsouseakeytoconfigurewhethereDirectoryshouldmandatesecureconnectionswhenbind requestssendthepasswordincleartext. RequireTLS:WhethereDirectoryshouldmandateTLSwhenreceivingLDAPrequestsinclear text.
Figure 4-7 LDAPConfiguration
ThefollowingissampletextintheresponsefileforLDAPconfiguration:
[NWI:NDS] Require TLS=No LDAP TLS Port=389 LDAP SSL Port=636
Language Settings
TheeDirectoryInstallerlanguagesettingsconfigurethelocaleandsetthedisplaylanguage. Therearecurrentlythreelocaleoptionsthatcanbesetduringinstallation:English,Frenchand Japanese.Eachhasaspecifickeyinthe[Novell:Languages:1.0.0]tagthatcanbesettoTrue/False priortothestartofinstallation. LangID4:English.SettingthistoTrueconfigurestheEnglishlocaleduringinstallation. LangID6:French.SettingthistoTrueconfigurestheFrenchlocaleduringinstallation. LangID9:Japanese.SettingthistoTrueconfigurestheJapaneselocaleduringinstallation. Theseoptionsaremutuallyexclusive,whichiseasilyenforcedinmanualinstallationviaradio buttons.Inunattendedinstallations,youneedtoensureonlyoneofthemissettoTrue. ThefollowingissampletextintheresponsefileforconfiguringanEnglishlocale:
[Novell:Languages:1.0.0] LangID4=true LangID6=false LangID9=false
87
ThefollowingissampletextintheresponsefileforstoppingSNMPservices:
[NWI:SNMP] Stop service=yes
SLP Services
eDirectoryusesSLPservicestoidentifyotherserversortreesinthesubnetduringinstallationor upgrade.IfSLPservicesarealreadyinstalledonyourserver,andyouwanttoreplacethemwiththe versionthatshipswiththecurrentversionoftheeDirectory(oruseyourownSLPservices),youcan setappropriatekeysinthe[NWI:SLP]tagtouninstallandremovetheexistingSLPservices. ThefollowingissampletextintheresponsefileforuninstallingandremovingSLPservices:
[EDIR:SLP] Need to uninstall service=true
88
andforasecondaryserverinstallationintoanexistingtree:
[NWI:NDS] New Tree=No [Novell:ExistingTree:1.0.0] ExistingTreeYes=true ExistingTreeNo=false
FileCopyTag:Thistagcontainskeysfordisplaysettingsthatarehandledinthenextsection, includingthefilecopyprofileinformation:
89
TheseoptionsspecifytheresponsefromtheeDirectoryInstallerinscenariossuchasfilewrite conflicts,filecopyingdecisions,etc.
The[NWI:NDS]sectiondescribeseDirectoryconfigurationdetailssuchastreenameandservername. IfyoudontwanttheInstallertopromptforvaluesfortheseparameters,setthisparametertoFalse.
[Selected Nodes] Prompt=false
TheInstallationModekeymustalwaysbeexplicitlysettoSilentforunattendedinstallations.
90
Install
32bit:<Unzipped Location>\nt\I386\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\nt\I386\NDSonNT>install.exe /silent /nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni 64bit:<Unzipped Location>\windows\x64\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\windows\x64\NDSonNT>install.exe /silent / nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
Configure
32bitand64bit:<Windows Drive>\Program Files\Common Files\novell>install.exe / silent /restrictnoderemove /nopleasewait /template=<Response file> Forexample,c:\Program Files\Common Files\novell>install.exe /silent / restrictnoderemove /nopleasewait / template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
91
64bit:<Unzipped Location>\windows\x64\NDSonNT>install.exe /silent /nopleasewait / template=<Response file> Forexample,D:\builds\88SP7_i386\windows\x64\NDSonNT>install.exe /silent / nopleasewait /template=D:\builds\88SP7_i386\nt\I386\NDSonNT\response.ni
92
5
5.1
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.
2c Enterktostoptheinstance. 3 GetthecurrentDIBlocationusingthefollowingcommand: ndsconfig get n4u.nds.dir
NOTE:IneDirectory8.8,bydefaulttheDIBislocatedat/var/opt/novell/eDirectory/data/ andonpreeDirectory8.8servers,itislocatedat/var/nds/.
4 CopytheDIBtothenewlocationasfollows: cp -rp current__location new__location
Forexample,tocopytheDIBto/home/nds/,enterthefollowing:
cp -rp /var/opt/novell/eDirectory/data//* /home/nds// 5 Edittheinstancespecificnds.confconfigurationfileandchangetheparametervalueof n4u.nds.dirasfollows: n4u.nds.dir=new__location
Forexample,ifyouarechangingtheDIBfrom/var/nds/to/home/nds/,typethefollowing:
n4u.nds.dir=/home/nds/ 6 StarttheeDirectoryserviceasfollows 6a Enterndsmanageatthecommandprompt. 6b Selecttheinstanceyouwanttostart.
Themenuexpandstoincludetheoptionsyoucanperformonaspecificinstance.
6c Enterstostarttheinstance.
93
7 Checktheserverstatusasfollows: ndscheck
5.2
Windows
DIBrelocationiscurrentlynotsupported.However,youcanlocatetheDIBinacustomlocation duringtheeDirectoryinstallation.
94
OneoftheuniquefeaturesofeDirectoryisitsabilitytomaintainthetightreferentialintegrity.Any objectClassesderivedfromTopwillhaveareferenceattributeinitsclassdefinition.Thisisahidden attributeaddedtoallthereferencedobjectsthatareinternallymaintainedbyeDirectory.Background processeskeeprunningtocheckthelinksbetweenthereferencedobjectandthereferencingobjects. Ifthereferencedobjectisfromadifferentpartitionthantheoneheldlocallyintheserver,anexternal referencetothatobjectwillbecreatedlocallyintheexternalreferencepartition.Anexternalreference isarepresentationofanobjectexistingintheeDirectorytree.However,itisnotacopyoftheobject anditsassignedattributes. ThoughwecanremovetheReferenceattributefromeDirectory,currently,theclassdefinitionsare untouchedtomaintainthebackwardcompatibilityinthetree.
Figure 6-1 iMonitorOutputshowingReferencestoanObject
95
6.1
6.2
UNIX/Linux
Windows
ndsupg
ndsupg.exe
96
Thefollowingtablediscussesthendsupgoptions.
Table 6-1 ndsupgOptions
Option
Description Quiet mode. There will not be any messages in quiet mode. Messages will be logged to log file (if provided) even in -q mode. It is recommended that you always provide a log file name for troubleshooting purpose. Dry run. Upgrade will be performed on a copy of the actual database. IMPORTANT: ds.nlm should be unloaded before loading dsup.nlm. This option can be used if the administrator wants to know if the upgrade is going to be successful and also to estimate the time required to upgrade the database. It is recommended to take a copy of the DIB. NOTE: eDirectory service should be unloaded or stopped before taking a copy of the database. ndsupg utility can be run on the copied database to estimate the downtime required for the actual upgrade. During this time, eDirectory service can be loaded or restarted.
-q
-d
-v
Verbosity of the messages. The default value is 3 where all messages are logged. It is recommended to always leave the verbosity level to its default value.
97
Option
Description Provide a log file name where messages are logged during upgrade. The log file will indicate the time the upgrade started and the end time. Given below is a snapshot of log file.
-l
6.3
6.3.1
Question: I am upgrading from eDirectory 8.7.x to eDirectory 8.8. The upgrade process failed with an error. My eDirectory 8.7.x server no longer comes up.
Answer:Whileupgradingfrom8.7.xtoeDirectory8.8,thedatabasegoesthroughatwophase upgrade.Inthefirstphase,akeypairiscreatedforencryptedattributessupportwhichwas introducedineDirectory8.8.Inthesecondphase,DIBupgradehappensforreferencechanges.Incase thesecondphasefailsafterthefirstphase,theexistingbinaries(eDirectory8.7.x)willnotbeableto openthedatabaseasdatabaseisalreadyupgradedto8.8levelandthedatabaseversionischangedto
98
Question: The upgrade process seems to be taking a lot of space in the storage.
Answer:Sincetheentirereferenceupgradehastobedoneinasingletransactionandtransaction rollbackisrequiredincasetheupgradefails,FLAIMkeepsthechangedblocksinitsnds.dbfile.Asa resultofthis,youmightobservethends.dbgrowingduringtheupgradeprocess.Thisisquite normal.Thefilemightspillovertonds.00v,nds.002,etc.Theupgradeprocesswillrequireasmuchas 100%ofexistingdiskspacedependingonthenumberofobjectstobeupgraded.Fore.g,aDIBsizeof 15Gigmightrequireanother15Gigfreespace,ifallobjectsintheDIBhasreferenceattributes.
Question: The eDirectory database upgrade proceeds even if I provide a wrong password and admin user.
Answer:eDirectorypackageupgradeanddatabaseupgradehappensbasedonyourfilesystem rights.TheeDirectoryadministratorpasswordwillnotbeusedforthis.Ithasasideeffectthatthe loginmightfailoncetheupgradebegins.Thenextattempttousethendsconfig upgradecommand willalwaysgothrough.
Question: I provided a wrong password for administrator. My upgrade failed, and I started the upgrade again with the correct password. The upgrade is again taking long time (as long as 1 hour for a 5 million objects with reference attributes on all) to bring up the initial display.
Answer:eDirectorymaintainsthereferenceattributesinaseparatecontainerinthedatabase.The delayintheinitialdisplayisduetothetimeittakesFLAIMtodeletethedatabasecontainerthat holdstheReferenceattributerecords.
99
100
NovelleDirectoryincludesconfigurationutilitiesthatsimplifytheconfigurationofvarious eDirectorycomponentsonLinux,Solaris,andAIXsystems.Thefollowingsectionsprovide informationaboutfunctionalityandusageofeDirectoryconfigurationcomponents: Section 7.1,ConfigurationUtilities,onpage 101 Section 7.2,ConfigurationParameters,onpage 103 Section 7.3,SecurityConsiderations,onpage 108
7.1
Configuration Utilities
ThissectionprovidesinformationaboutusingthefollowingeDirectoryconfigurationutilities: Section 7.1.1,ThendsconfigUtility,onpage 101 Section 7.1.2,UsingLDAPToolstoConfiguretheLDAPServerandLDAPGroupObjects,on page 102 Section 7.1.3,UsingthenmasinstUtilitytoConfigureNovellModularAuthenticationService, onpage 102 Section 7.1.4,UsingndsdinitScript,onpage 102
7.1.1
101
7.1.2
Using LDAP Tools to Configure the LDAP Server and LDAP Group Objects
YoucanusetheLDAPtoolsincludedwitheDirectoryonLinux,Solaris,andAIXsystemstomodify, view,andrefreshtheattributesofLDAPServerandGroupobjects. Formoreinformation,seeUsingLDAPToolsonLinux,Solaris,orAIXintheNovelleDirectory8.8 SP7AdministrationGuide.
7.1.3
7.1.4
thattheLDAPservicesareupandrunning.
102
7.2
Configuration Parameters
TheeDirectoryconfigurationparametersarestoredinthends.conffile. Whenconfigurationparametersarechanged,ndsdneedstoberestartedforthenewvaluetotake effect.Youshouldusendsmanagetorestartndsd. However,forsomeconfigurationparameters,ndsdneednotberestarted.Theseparametersarelisted below: n4u.nds.inactivity-synchronization-interval n4u.nds.synchronization-restrictions n4u.nds.janitor-interval n4u.nds.backlink-interval n4u.nds.drl-interval n4u.nds.flatcleaning-interval n4u.nds.server-state-up-thresholdn4u.nds.heartbeat-scheman4u.nds.heartbeatdata Thefollowingtableprovidesadescriptionofalltheconfigurationparameters.
Parameter Description The host name of the machine that hosts the eDirectory service. Default = null
n4u.nds.preferred-server
n4u.base.tree-name
The tree name that Account Management uses. This is a mandatory parameter set by the Account Management Installer. This parameter cannot be set. DClient can use UDP in addition to TCP for communicating with the eDirectory servers. This parameter enables the UDP transport feature. Default = 0 Range = 0, 1
n4u.base.dclient.use-udp
n4u.base.slp.max-wait
The Service Location Protocol (SLP) API calls timeout. Default = 30 Range = 3 to 100 This value is in seconds. This option is supported only by Novell SLP and not OpenSLP.
n4u.nds.advertise-life-time
eDirectory reregisters itself with the Directory Agent after this time period. Default = 3600 Range = 1 to 65535 This value is in seconds.
103
Parameter
Description Determines the level of enhanced security support. Increasing this value increases security, but decreases performance. Default = 1 Range = 0 to 3
n4u.server.signature-level
n4u.nds.dir
/var/opt/novell/eDirectory/data/
This parameter cannot be set using the ndsconfig set command. You can manually change this parameter if you want to relocate your DIB. However, we do not recommend you do so.
n4u.nds.server-guid
n4u.nds.server-name
n4u.nds.bindery-context
n4u.nds.server-context n4u.nds.external-referencelife-span
The context that the eDirectory server is added to. This parameter cannot be set or changed. The number of hours unused external references are allowed to exist before being removed. Default = 192 Range = 1 to 384
n4u.nds.inactivitysynchronization-interval
The interval (in minutes) after which full synchronization of the replicas is performed, following a period of no change to the information held in the eDirectory on the server. Default = 60 Range = 2 to 1440
n4u.nds.synchronizationrestrictions
The Off value allows synchronization with any version of the eDirectory. The On value restricts synchronization to version numbers you specify as parameters. For example, ON,420,421. Default = Off
n4u.nds.janitor-interval
The interval (in minutes) after which the eDirectory Janitor process is executed. Default = 2 Range = 1 to 10080
104
Parameter
Description The interval (in minutes) after which the eDirectory backlink consistency is checked. Default = 780 Range = 2 to 10080
n4u.nds.backlink-interval
n4u.nds.drl-interval
The interval (in minutes) after which the eDirectory distributed reference link consistency is checked. Default = 780 Range = 2 to 10080
n4u.nds.flatcleaning-interval
The interval (in minutes) after which the flatcleaner process automatically begins purging and deleting entries from the database. Default = 720 Range = 1 to 720
n4u.nds.server-state-upthreshold
The server state up threshold, in minutes. This is the time after which the eDirectory checks the server state before returning -625 errors. Default = 30 Range = 1 to 720
n4u.nds.heartbeat-schema
The heartbeat base schema synchronization interval in minutes. Default = 240 Range = 2 to 1440
n4u.nds.heartbeat-data
n4u.nds.dofsync
Setting this parameter to 0 increases update performance significantly for large databases, but there is a risk of database corruption if the system crashes. The eDirectory configuration files are placed here. Default = /etc
n4u.server.configdir
n4u.server.vardir
The eDirectory and utilities log files are placed here. Default = /var/opt/novell/eDirectory/log
n4u.server.libdir
The eDirectory specific libraries are placed here in the nds-modules directory. Default = /opt/novell/eDirectory/lib
n4u.server.sid-caching
Enables SSL session ID caching. Refer to the SSL v3.0 RFC for more details about session ID caching in SSL.
105
Parameter
Description The default port used if the port number is not specified in the n4u.server.interfaces parameter. The IP address and port number that eDirectory server should listen on for client connections. The value can be a comma-separated list specifying more than one combination of possible settings. For example:
n4u.server.tcp-port n4u.server.interfaces
n4u.server.max-openfiles
This parameter specifies the maximum number of file descriptors that eDirectory can use. Default = maximum allowed by the administrator
n4u.server.max-threads
The maximum number of threads that will be started by the eDirectory server. This is the number of concurrent operations that can be done within the eDirectory server. Default = 64 Range = 32 to 512 Refer to the Novell eDirectory 8.8 SP7 Tuning Guide for UNIX* Platforms to set an optimum value.
n4u.server.idle-threads
The maximum number of idle threads that are allowed in the eDirectory server. Default = 8 Range = 1 to 128
n4u.server.start-threads
n4u.server.log-levels
This parameter helps to configure the error logging settings for the server-side messages. It sets the message log level to LogFatal, LogWarn, LogErr, LogInfo, or LogDbg. This parameter specifies the log file location where the messages would be logged. By default, the messages are logged into the ndsd.log file.
n4u.server.log-file
106
Parameter
Description Number of records that are sent from the Novell Import/ Export client to the LDAP server in a single LBURP packet. You can increase the transaction size to ensure that multiple add operations can be performed in a single request. Default = 25 Range = 1 to 250
n4u.ldap.lburp.transize
n4u.server.listen-on-loopback
It is a boolean parameter, and enabled by default. In a few recent Linux distributions, the hostname in the / etc/hosts file is associated with the loopback address. Though the common address given in the SLES systems is 127.0.0.2, it can be anything from 127.0.0.0 to 127.255.255.255 (valid loopback addresses). Comma-separated list of interfaces that HTTP server should use. Default IO buffer size.
Number of seconds to wait for the next request from the same client on the same connection. HTTP thread pool size per processor.
http.server.session-exp-seconds Session expiration time in seconds. http.server.sadmin-passwd http.server.module-base https.server.cached-cert-dn https.server.cached-server-dn http.server.trace-level http.server.auth-req-tls http.server.clear-port http.server.tls-port
Session administrator password. HTTP server webroot. HTTPS server cached certificate DN. HTTPS server cached DN. Diagnostic trace level of HTTP server. HTTP server authentication requires TLS. Server port for the HTTP protocol. Server port for the HTTPS protocol.
NOTE:FormoredetailsinformationontheeDirectoryconfigurationparameters,refertothe nds.confmanpage.
107
7.3
Security Considerations
Thefollowingsecurityconsiderationsarerecommended: Makesurethatonlyauthenticatedusershavebrowserightstothetree.Tolimitthis,dothe following: Removebrowserightsof[Public]ontreeroot. Assign[Root]browserightsontreeroot. SettheldapBindRestrictionsattributeontheLDAPserverobjecttoDisallow anonymous Simple Bind.Thispreventstheclientsfromdoinganonymousbinds. Bydefault,thecipherissettoExport.MakeLDAPmoresecurebysettingtheciphertoHIGH.To dothis,changethebindrestrictionsattributeoftheLDAPServerobjecttoUse Higher Cipher (greater than 128 bit).
108
ThisdocumentguidesyoutomigrateyourNovelleDirectory8.7.3.xservertoeDirectory8.8SP7 whenyouhavetoupgradeyouroperatingsystemalso. WiththechangeintheoperatingsystemssupportedineDirectory8.8SP7,therearecertainversions thateDirectory8.8SP7doesnotsupportthatwereearliersupportedwitheDirectory8.7.3.x. TherearetwoscenarioswhilemigratingtoeDirectory8.8SP7: MigratingtoeDirectory8.8SP7whenplatformupgradeispossible Inthisscenario,youupgradeyouroperatingsystemtoasupportedversionandthenupgrade eDirectorytoeDirectory8.8SP7. MigratingtoeDirectory8.8SP7whenplatformupgradeisnotpossible Inthisscenario,youcannotupgradeyouroperatingsystemtoasupportedversionasthe operatingsystemmigrationpathisnotpossible.
8.1
Starting State Windows 2000 SP4 + eDirectory 8.7.3.x Windows 2003 SP2 + eDirectory 8.7.3.x
Intermediate State Windows 2003 SP2 + eDirectory 8.7.3.x Windows 2003 SP2 + eDirectory 8.8 SP7
Desired State Windows 2003 SP2 + eDirectory 8.8 SP7 Windows 2008 SP2 + eDirectory 8.8 SP7
Precautions: Before upgrading eDirectory on UNIX and Linux, ensure that the hostname is configured to a valid IP address and not to loopback address in /etc/hosts file. Linux SLES 9 + eDirectory 8.7.3.x RedHat AS 4.0 + eDirectory 8.8 SP2 SLES 10 + eDirectory 8.7.3.x SLES 10 + eDirectory 8.8 SP7 RedHat AS 5.3 + eDirectory 8.8 SP2 RedHat AS 5.3 + eDirectory 8.8 SP7
109
AIX 5.3 + eDirectory 8.8 SP6 AIX 6.1 + eDirectory 8.8 SP6 AIX 6.1 + eDirectory 8.8 SP7
Recommendations
1 BackupyoureDirectory8.7.3.xfilesbeforeupgradingtheoperatingsystem.StopeDirectoryand
eDirectoryversionisnotsupportedonaparticularoperatingsystemintheintermediatestate. Forexample,eDirectory8.7.3.xonSolaris10.
8.2
110
9 Edit/etc/opt/novell/eDirectory/conf/.edir/instances.0andputtheabsolutepathto nds.conf file. 10 Editthends.conffileandaddthefollowing. n4u.nds.dir=_file_location n4u.server.libdir=/opt/novell/eDirectory/lib n4u.server.vardir=var_directory n4u.server.configdir=/etc/opt/novell/eDirectory/conf http.server.module-base=http_server_module_base_directory 11 Setthepathasfollows:
Use/opt/novell/eDirectory/bin/ndspathutility.
12 Runndsconfig upgradeaftersettingthepath.
111
112
eDirectorymigrationfromNetWarerequiresthemigrationofeDirectorydataandserveridentityto provideseamlessaccessibilityaftermigration.TheeDirectorymigrationutilityperformsallofthe premigrationtasks,healthvalidationsandserverbackups,servermigrationtasks,andpost migrationtasksforyou. ThefollowingsectionsgiveyoumoredetailsonthemigrationprocedureforeDirectory.Formore information,seetheNovellOpenEnterpriseServerMigrationWebsite(http://www.novell.com/ products/openenterpriseserver/migrate.html)andtheOES2SP3:UpgradingtoOESBestPractices Guide(http://www.novell.com/documentation/oes2/upgrade_to_oes_lx/data/front.html). Section 9.1,PlanningYourMigration,onpage 113 Section 9.2,MigrationTools,onpage 114 Section 9.3,MigrationProcedure,onpage 114 Section 9.4,AftertheMigration,onpage 116
9.1
9.1.1
System Requirements
ThetargetservermustrunOES2andshouldhavetheeDirectory8.8SP7RPMsalready
installed.
IfthetargetOES2serverhasadefaulteDirectory8.8SP7instancealreadyconfigured,this
instanceshouldbeactive.Thisinstancewillbeoverwrittenafterthemigration.
OES2doesnotsupportmultipleinstancesofeDirectoryonthesameserver,soanynondefault
instancesshouldnotberunningduringmigration.
ThesourceNetWareservershouldberunningandshouldnotbepartofanypartitionoperation.
9.1.2
Prerequisites
TheeDirectorymigrationutilitywillrunonlyonthetargetserverandmustbeabletoaccessthe
NetWareserverremotely.
113
9.1.3
Supported Platforms
TheeDirectorymigrationutilityisdesignedtorunontheLinuxversionofOES2,whichisthetarget platformformigration.ThefollowingtableliststhecompatibleeDirectoryversionsatsourceandthe correspondingtargetservers:
Table 9-1 eDirectoryVersionsatSourceandTargetServers
Source Server NetWare 5.1 SP8 + eDirectory 8.7.3.6 NetWare 5.1 SP8 + eDirectory 8.7.3.7 NetWare 6.5 SP6 + eDirectory 8.7.3.9 NetWare 6.5 SP6 + eDirectory 8.8 NetWare 6.5 SP6 + eDirectory 8.8 SP1 NetWare 6.5 SP6 + eDirectory 8.8 SP3
Target Server Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64 Physical or Virtualized OES2 Linux 32 or 64
9.1.4
Considerations
IPaddressandDNSmigrationsarenotperformedbythismigrationutility. OnlytheeDirectoryinstancewillbemigrated.ApplicationsdependingoneDirectorywillnotbe migrated. Youshouldnotusethismigrationmethodologyifyouwantboththeserverstobeavailable duringthemigrationoperation. NOTE:Onlythetargetserverwillbeavailableafterthemigration.Thesourceserverwillbe locked.OtherservicemigrationscannotbeperformedaftercompletingeDirectorymigration.
9.2
Migration Tools
TheeDirectorymigrationisperformedindependentlyoftheOESmigrationframework.The completemigrationtaskisperformedbyinvokingthemigedircommandlineutility.
9.3
Migration Procedure
1 Runthemigedirutilitybyenteringthefollowingcommandonthetargetserver: migedir -s <IP address> [-A <log directory name>] [-t] [-v] [-h]
Theutilitytakesthefollowingcommandlineoptions:
Option Description Specifies the IP address of the source server containing the eDirectory instance to be migrated. IMPORTANT: -s is a mandatory parameter.
-s
IP address
114
Option
Description Enables auditing. directory name specifies the directory in which log files should be created. Tests the validity of the input parameters. NOTE: This option verifies the IP address. However, it does not perform the actual migration.
-A directory name -t
-v -h
Enables the verbose mode. Prints help about using this utility.
2 Followtheonscreeninstructionsastheutilityperformsthemigration.
Themigrationutilitydoessomepremigrationchecks,performsthemigration,thendoessome postmigrationtasks. Premigrationonpage 115 Migrationonpage 115 Postmigrationonpage 115 HandlingFailuresonpage 116
Pre-migration
Theutilityperformsthefollowingchecks: Thehealthandstateofthereplicasintheringareverified. Configurationinformationfortheserverbeingmigratediscollectedandwrittentoa configurationfiletobeusedbyotheroperationsduringthemigration. Timesynchronizationisverifiedbetweenthesourceandtargetservers. ThetargetserverischeckedforanyexistingeDirectoryinstances. Iftheinstanceexists,theuserispromptedandtheexistinginstanceisremovedbefore proceedingwiththemigration. Iftheinstancedoesntexist,anewinstanceisconfiguredandused.
Migration
TheutilityperformsthemigrationoftheeDirectoryinstancefromthecollectedconfiguration information.Thisinvolvesbackingupthesourceserverdata,lockingtheeDirectoryinstanceinthe sourceserver,migratingdatatothetargetserver,andrestoringtheeDirectoryinstanceonthetarget server.ThedependentNICIfilesarealsomigrated. Theutilityalsoconfiguresthelocalinstanceinthetargetserverwiththesourceserverdetails obtainedduringthepreviouschecks.
Post-migration
Aftermigration,thefollowingtasksareperformedbytheutility: Thends.confconfigurationfileismodifiedwiththesourceservereDirectoryinstance information,suchastreenameandservername.
115
Handling Failures
Duringmigration,thedatabaseinthesourceserverislockedtoavoidmultiplecopiesoftheinstance runningonthesourceandtargetservers.Multiplecopiesofthesameinstancecanleadtodata inconsistency.Iftheprocessfailsandifyouintendtobringupthesourceserveragain,youneedto performthefollowingtasks:
1 RemovethepartiallymigratedeDirectoryinstanceonthetargetserver.
9.4
116
10
10
TheprimarymethodthroughwhichNovelleDirectorysupportshighavailabilityisbyconfiguring multipleserversthroughsynchronization.However,clusteringmaybeamoreviablealternativefor achievinghighavailabilityinsomeenvironments. ThissectionprovidesguidelinesforconfiguringeDirectoryonhighavailabilityclustersbyusing sharedstorage.Theinformationinthissectionisgeneralizedforsharedstoragehighavailability clustersonsupportedWindowsandLinuxplatforms,andtheinformationisnotspecifictoa particularclustermanager. StatedataforeDirectorymustbelocatedonthesharedstoragesothatitisavailabletothecluster nodethatiscurrentlyrunningtheservices.ThismeansthattheeDirectoryDIBmustbelocatedon theclustersharedstorage.TherooteDirectoryinstanceoneachoftheclusternodesmustbe configuredtousetheDIBonthesharedstorage. InadditiontotheDIB,itisalsonecessarytoshareNICI(NovellInternationalCryptographic Infrastructure)datasothatserverspecifickeysarereplicatedamongtheclusternodes.NICIdata usedbyallclusternodesmustbelocatedontheclustersharedstorage. OthereDirectoryconfigurationandlogdatashouldalsoresideonsharedstorage. eDirectory8.8SP7includesautilityforbothLinuxandWindowsserversthatautomatically configureseDirectoryinyourclusteredenvironment,includingcopyingdatatoaspecifiedshared storagelocation,updatingtheappropriateconfigurationparameters,andsettingupeDirectory servicesonclusternodesotherthantheprimarynode. Theproceduresinthefollowingsectionsarebasedonthefollowingassumptions: YouarefamiliarwitheDirectoryinstallationprocedures. Youareusingatwonodecluster. NOTE:Atwonodeclusteristheminimumconfigurationusedforhighavailability.However, theconceptsinthissectioncaneasilybeextendedtoaclusterwithadditionalnodes.Notethat eDirectorydoesnotsupportloadbalancingbyusingmultipleclusternodes. Thissectioncoversthefollowingtopics: Section 10.1,ClusteringeDirectoryServicesonLinux,onpage 118 Section 10.2,ClusteringeDirectoryServicesonWindows,onpage 120 Section 10.3,TroubleshootingClusteredEnvironments,onpage 123 Section 10.4,ConfigurationUtilityOptions,onpage 123
117
10.1
10.1.1
Prerequisites
TwoormoreLinuxserverswithclusteringsoftware Externalsharedstoragesupportedbytheclustersoftware,withsufficientdiskspacetostoreall eDirectoryandNICIdata VirtualIPaddress NovelleDirectory8.8SP7orlater NOTE:ThendsclusterconfigutilityonlysupportsconfiguringtherooteDirectoryinstance. eDirectorydoesnotsupportconfiguringmultipleinstancesandnonrootinstallationsof eDirectoryinaclusterenvironment.
10.1.2
moreinformationoninstallationandconfigurationprocedures,refertotheSection 1.6.2,Using thendsinstallUtilitytoInstalleDirectoryComponents,onpage 20. NOTE WhenconfiguringeDirectory,thedefaultNCPservernameisthehostservernameofthe computeronwhichyouinstalledeDirectory.BecauseeDirectoryishostedonmultiplehosts inaclusteredenvironment,however,youshouldspecifyanNCPservernamethatis uniquetotheclusterinsteadofusingthedefaultname.Forexample,youcanspecifythe nameclusterserverfortheNCPserverwhenyouconfigureeDirectoryontheprimary clusternode. Duringtheconfigurationprocess,ensureyousetthevirtualIPaddressforyoureDirectory installation.Inaclusteredenvironment,eDirectoryonlylistensonthevirtualIPaddress, notonthesystemIPaddress.
2 AfteryouinstallandconfigureeDirectory,navigatetothends.conffile,whichislocatedinthe /etc/opt/novell/eDirectory/conf. 3 Editthends.conffiletosetthevalueofthen4u.nds.preferred-serversettingtothevirtual
IPaddressoftheclusteredinstallation,thensaveandclosethefile.
4 VerifytheeDirectoryinstallationbyusingthendsstatcommand.
eDirectorymustbeupandrunningontheprimaryclusternode.
5 Mountthesharedfilesystembyusingtheclustermanager. 6 Backupalldatainthefollowingdirectoriesbeforerunningtheconfigurationutility:
118
eDirectoryservice:
ndsmanage stopall 8 Intheterminal,navigatetothelocationoftheconfigurationutility,nds-cluster-config.The utilityislocatedinthe/opt/novell/eDirectory/bindirectory. 9 Runthefollowingcommand: nds-cluster-config -s /<sharedfilesystem>
primaryclusternode,butdonotconfigureeDirectory.
17 Intheterminal,navigatetothelocationoftheconfigurationutilityonthesecondarynode.The utilityislocatedinthe/opt/novell/eDirectory/bindirectory. 18 Openaterminalandrunthefollowingcommand: nds-cluster-config -s /<sharedfilesystem>
119
VerifythestatusofeDirectorybyusingthendsstatcommand.
20 StopeDirectoryservicesonthesecondarynodebyrunningthendsmanage stopallcommand. 21 AftersuccessfullyconfiguringeDirectoryonbothnodesofthecluster,youmustalsochangethe
startupmodeofthendsdserviceoneachnodebyusingthefollowingcommand:
chkconfig -d ndsd 22 Aftertheconfigurationutilityfinishesconfiguringthesecondarynode,youcanusethecluster
10.1.3
ConfiguringSNMPServicesforeDirectoryintheNovelleDirectory8.8SP7AdministrationGuide.
2 Startndssnmpsa. 3 SelectYesastheRemember passwordoption. 4 Tostartthesnmpservice,performeitherofthefollowing:
10.2
10.2.1
Prerequisites
TwoormoreWindowsserverswithclusteringsoftware
120
10.2.2
utilityislocatedinthe<eDirectoryinstallationfolder>folderbydefault.
9 Runthefollowingcommand: dsclusterconfig.exe -s /<sharedfilesystem>
onthecluster. Theconfigurationutilitymovesthedatainthedirectoriesabovetothefollowinglocationson thesharedfilesystem: <sharedfilesystem>/nici <sharedfilesystem>/Files InadditiontomovingeDirectorydatatothesharedfilesystem,theutilitycopiestheeDirectory serviceregistrykeytothesharedvolume,savingthekeyasthefilendsConfigKey. TheutilityalsochangestheStartupTypeoftheNDS Serverserviceontheprimarynode computerfromAutomatictoManual.
11 IntheNDSConsutility,clickStartuptostartalleDirectoryservices. 12 VerifythatalleDirectoryservicesarerunning,thenusetheNDSConsutilitytostopservices
again.
13 ClosetheNDSConsutility. 14 Logintotheserveryouwanttouseasthesecondarynodeofthecluster.
121
utilityislocatedintheeDirectoryinstallationfolderbydefault.
18 Runthefollowingcommand: dsclusterconfig.exe -s /<sharedfilesystem>
Where<sharedfilesystem>istheclustersharedstorage.Thepathofthe<sharedfilesystem> shouldbesameasthepathlocationspecifiedwhentheprimarynodewasconfigured.
19 Thedsclusterconfigutilityupdatesregistryonthesecondaryclusternodetotheshared
eDirectorydatalocatedonthesharedclusterfilesystem.
20 Aftertheconfigurationutilityfinishesconfiguringthesecondarynode,opentheNDSCons
utility.
21 IntheNDSConsutility,clickStartup. 22 ClickYestoconfirm. 23 WhenNDSConsstartsalleDirectoryservices,verifyeDirectory,thenclickShutdown. 24 ClickYestoconfirm. 25 ToconfigureeDirectoryintheClusterResourcegroup,createanewresourceintheResource
GrouptobeusedforeDirectory. Youmustprovidethefollowingdetails: ResourcetypeGenericService DependentonIPaddressandshareddiskintheResourceGroup ServicenameNDS Server0 Nostartparameters RegistrykeysSYSTEM\CurrentControlSet\Services\NDS Server0 NOTE:Ideally,theclustermanagerchecksthatthesameDIBisnotaccessedbytwoormorenodes simultaneously.However,youmustensurethatndsddoesnotrunfromtwoormoreclusternodes simultaneously.ThisisbecauseaccessingthesameDIBthroughtwoormorenodesleadstoDIB corruption.
10.2.3
Formoreinformation,seeInstallingandConfiguringSNMPServicesforeDirectoryinthe NovelleDirectory8.8SP7AdministrationGuide.
2 SavetheeDirectorypasswordwhenitpromptsforthepassword. 3 Startthesubagent. 4 PerformStep 1toStep 3ontheothernodes.
122
10.3
10.3.1
10.3.2
AssignthefollowingvaluetotheImagePathkey:
"<primarynodeinstallfolder>\NDS\ndsserv.exe" /DataDir="<sharedstorage>\Files" ds
Where<primarynodeinstallfolder>isthefolderwhereyouinstalledeDirectoryontheprimary nodeand<sharedstorage>isthepathtothesharedfilesystemlocation.
10.4
-h -s -u
nds-cluster-config -u -s <sharedfilesystem>
123
124
11
Thischaptercontainsthefollowinginformation: Section 11.1,UninstallingeDirectoryonWindows,onpage 125 Section 11.2,UninstallingeDirectoryonLinux,Solaris,orAIX,onpage 129 Section 11.3,UnattendedUninstallationofeDirectoryonUNIX,onpage 130 Section 11.4,CaveatsforUninstallingeDirectory,onpage 131
11.1
11.1.1
RemovePrograms.
2 SelecteDirectory,ConsoleOne,ortheSLPDirectoryAgentfromthelist,thenclickAdd/Remove. 3 ConfirmthatyouwanttoremoveyourselectionbyclickingYes.
TheInstallationWizardremovestheprogramfromtheserver.
125
11.1.2
Response Files
UninstallingeDirectoryonWindowsoperatingsystemcanbemadesilentandmoreflexiblebyusing aresponsefile(remove.rsp)tocompletethefollowingtasks: Completeunattendeduninstallationwithallrequireduserinputs Defaultconfigurationofcomponents Bypassallpromptsduringtheinstallation Aresponsefileisatextfilecontainingsectionsandkeys,similartoaWindows.inifile.Youcancreate andeditaresponsefilebyusinganyASCIItexteditor.TheeDirectoryreadstheuninstallation parametersdirectlyfromtheresponsefileandreplacesthedefaultuninstallationvalueswith responsefilevalues.Theuninstallationprogramacceptsthevaluesfromtheresponsefileand continuestouninstallwithoutprompts.
126
[Novell:NDSforNT:1.0.0]
TreeName:Thenameofthetreefromwhichtheserverwillbeuninstalled. AdminLoginName:Thename(RDN)oftheAdministratorobjectinthetreethathasfullrights,at leasttothecontexttowhichthisserverisadded.Alloperationsinthetreewillbeperformedasthis user. AdminContext:Anyuseraddedtoatreehasauserobjectthatcontainsalltheuserspecificdetails. ThisparameteristhecontainerobjectinthetreetowhichtheAdministratorobjectwillbeadded.For primaryserverinstallations,thiscontainerwillbecreatedwiththeserverobject. AdminPassword:ThepasswordfortheAdministratorobjectcreatedinthepreviousparameters. ThispasswordwillbeconfiguredtotheAdministratorobjectduringprimaryserverinstallations.For secondaryserverinstallations,thisneedstobethepasswordoftheAdministratorobjectinthe primaryserverthathasrightstothecontexttowhichthenewserverisadded. NDSLocation:TheeDirectoryinstalllocationinthelocalsystemwherethelibrariesandbinariesare copied.Bydefault,eDirectoryisinstalledintoC:\Novell\NDSunlessitischangedintheresponse file. DataDir:UntileDirectoryversion8.8,theDIBwasinstalledinsidetheNDSlocationasasubfolder. Later,administratorsweregiventheoptiontoprovideadifferentDIBlocation,becausetheremight betoomuchdatastoredintheDIBtofitintotheNDSlocation.Currently,bydefaulttheDIBis installedintheFilessubfolderinsidetheNDSlocation,butadministratorscanchangethis parameterandprovideadifferentlocation mode:ThetypeofsetuponeDirectory.Thethreetypesofsetupare: deconfigure:PerformsthedeconfigurationofeDirectory. uninstall:PerformsuninstallationofeDirectory. full:PerformsbothdeconfigurationanduninstallationofeDirectory. NOTE:Ifyouoptforthefullsetupmodeduringunattendedinstall,thenwhileuninstalling eDirectoryyoucannotoptforindividualdeconfigurationanduninstallationoption. ConfigurationMode:Ifthesetupmentionedinthemodekeyisdeconfigure,thenensurethatyoudo notchangetheRestrictNodeRemovevalueoftheConfigurationModekey Prompt:Thetypeoftheuninstallationmodeshouldbementionedinthisvariable.Itwillbesetby defaulttosilentforunattendeduninstallation.Ifanyvalueotherthansilentissetthenitwilldo normaluninstallation
127
Thefollowingisasampleoftextintheresponsefileforallthebasicparametersdescribedabove:
[Novell:NDSforNT:1.0.0] Tree Name=SILENTCORP-TREE Admin Context=Novell Admin Login Name=Admin Admin Password=novell prompt=silent
to
[PARAMETERS]0/OUTPUT_TO_FILE /SILENT
Theinstall.exeinstalledintheeDirectoryisinvokedinthecommandlinewithafewadditional parameters.Dependingontherequiredsetup,youmustuseeitherofthefollowingcommands:
Deconfigure
<Windows Installed Drive>\Program Files\Common Files\novell\ni\bin>install.exe remove /restrictnoderemove /nopleasewait ..\data\ip.db ..\data\remove.rsp Novell:NDSForNT:1.0.0 0 NDSonNT
Uninstall
1 Renametheip.dbfilepresentinthe<Windows Drive>\Program Files\Common Files\novell\ni\datadirectorytoanothername. 2 Copytheip_conf.dbfileinthe<Windows Drive>\Program Files\Common Files\novell\ni\datafoldertoip.db. 3 Runthefollowingcommand: <Windows Installed Drive>\Program Files\Common Files\novell\ni\bin>install.exe -remove /nopleasewait ..\data\ip.db ..\data\remove.rsp Novell:NDSForNT:1.0.0 0 NDSonNT
128
AfterperforminganuninstallationofeDirectoryorcombinationsetup,deletethefollowingfolders: C:\Novell\NDS(defaultlocation,orelsefromtheeDirectoryinstalleddirectory) C:\Novell\NDS\Files(defaultlocation,orelsefromtheeDirectoryDIBlocation) <Windows Installed Drive>:\Program Files\Common Files\Novell\ni <Windows Installed Drive>:\Windows\system32\NDScpa.cpl
11.1.3
Uninstalling NICI
1 OntheWindowsserverwhereeDirectoryisinstalled,clickStart>Settings>ControlPanel>Add/
RemovePrograms.
2 SelectNICIfromthelist,thenclickAdd/Remove. 3 ConfirmthatyouwanttoremoveNICIbyclickingYes.
TheInstallationWizardremovesNICIfromtheserver. AfteruninstallingNICI,ifyouwanttocompletelyremoveNICIfromyoursystem,deletethe
C:\Windows\system32\novell\nici(32bit)andC:\Windows\SysWOW64\novell\nici(64bit)
11.1.4
eDirectoryisinstalled.
2 Removethefollowingredistributionpackage:
32bit:Microsoft Visual C++ 2005 Redistributable 64bit:Microsoft Visual C++ 2005 RedistributableandMicrosoft Visual C++ 2005 Redistributable (x64)
11.2
129
Ifyoudonotprovidetherequiredparametersinthecommandline,thendsinstallutilitywill promptfortheparameters.
Paramet er
Description Displays the help strings. Removes the eDirectory packages and binaries even when instances are configured. However, this option does not remove the DIB directory and the NDS configuration file. IMPORTANT: Ensure that using this option is not affecting other services for a long period.
-h -s
ndsuninstalldoesnotuninstallthefollowingpackages:
Package Reasons for Not Removing
NICI package
Any other product eDirectory installed in a custom location eDirectory installed by a nonroot user
NOVLsubag NOVLsubag could be used by any of the following:
11.3
130
Forexample:
ndsconfig rm -a admin.novell -w n -c ndsconfig rm -a admin.novell -w env:ADM_PASWD -c ndsconfig rm -a admin.novell -w file:/Builds/88SP7/adm_paswd -c 4 TouninstalltheeDirectorypackages,runthendsuninstallscripttoremovetheeDirectory
packages:
nds-uninstall -u
11.4
131
132
12
12.1
12
12.1.1
Supported Platforms
32BiteDirectoryonpage 134 64biteDirectoryonpage 134 NOTE:eDirectorydoesnotsupportauditingeventsonserversrunningAIX.
133
32-Bit eDirectory
Linuxonpage 134 Solarisonpage 134 Windowsonpage 134
Linux
32bit SUSELinuxEnterpriseServer(SLES)11 SLES10SP1,SP2andSP3 SLES10SP1,SP2andSP3XEN RedHatEnterpriseLinux(RHEL)5** RHEL5**AP RHEL5**APVirtualization RHEL6.0 64bit SLES1164bit SLES10SP1,SP2,SP364bit SLES10SP1,SP2andSP3XEN64bit RHEL5**64bit RHEL5**AP64bit RHEL5**APVirtualization64bit RHEL6.0
Solaris
Solaris*10onSunSPARC
Windows
32bitWindows*2003EnterpriseServerSP2 32bitWindows*2008Server(Standard/Enterprise/DataCenterEdition) **Latestservicepack
64-bit eDirectory
Linux
SLES1164bit SLES10SP1,SP2andSP364bit SLES10SP1,SP2andSP3XEN64bit RHEL5**64bit RHEL5**AP64bit
134
RHEL5**APVirtualization64bit RHEL6.0
Solaris
Solaris*10onSunSPARC
Windows
64bitWindows*2008Server(Standard/Enterprise/DataCenterEdition) Windows2008R2Server(Standard/Enterprise/DataCenterEdition) **Latestservicepack
12.1.2
Prerequisites
eDirectory8.8SP7auditingsupportsonlytheAuditPlatformAgent. InstallingandusingtheNovellAuditiManagerPluginrequiresiManager2.7.3orlater.For
moreinformation,refertotheNovelliManagerDocumentationPage(http://www.novell.com/ documentation/imanager27/index.html).
12.1.3
Linux
IftheAuditPlatformAgentconfigurationfile(logevent.conf)alreadyexistsinthe/etc,backup thefilebeforeinstallingtheAuditpackages,becausethenewpackageoverwritestheexisting configuration. IftheAuditmoduleisalreadyloaded,unloadtheauditdsmodulebyusingthendstrace -c
"unload auditds"command.
extractedeDirectorybuildfortheLinuxplatform.
#rpm -Uvh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-62.i586.rpm
135
2 Installnovell-AUDTedirinst-8.8.7-xx.i586.rpmfromthesetupdirectoryoftheextracted
eDirectorybuildfortheLinuxplatform.
#rpm -Uvh /root/eDirectory/setup/novell-AUDTedirinst-8.8.7-xx.i586.rpm
Forthe64bitAuditpackage:
1 Installnovell-AUDTplatformagent-2.0.2-62.x86_64.rpmfromthesetupdirectoryofthe
extractedeDirectorybuildfortheLinuxplatform.
#rpm -Uvh /root/eDirectory/setup/novell-AUDTplatformagent-2.0.2-62.x86_64.rpm 2 Installthenovell-AUDTedirinst-8.8.6-xx.x86_64.rpmfromthesetupdirectoryofthe
extractedeDirectorybuildfortheLinuxplatform.
#rpm -Uvh <eDirectory build extracted folder>/eDirectory/setup/novellAUDTedirinst-8.8.6-xx.x86_64.rpm
Solaris
IftheAuditPlatformAgentconfigurationfile(logevent.conf)alreadyexistsinthe/etc,thenback upthefilebeforeinstallingtheAuditpackages,asthenewpackageoverwritestheexisting configuration. IftheAuditPlatformAgentisalreadyloaded,unloadauditdsmodulebyusingndstrace -c
"unload auditds"command.
136
Windows
IftheAuditPlatformAgentconfigurationfile(logevent.cfg)alreadyexistsintheC:\WINDOWS,back upthefilebeforeinstallinginstrumentation,becausethenewpackageoverwritestheexisting configuration. For32bitinstallationofAuditpackagesandAuditPlatformAgent:
1 Runthepa_win32.exefilefor32bitAuditPlatformAgentfromtheinstallerfolder. 2 UnziptheeDirectoryInstrumentation-win-8.8.7.zipfilefor32bitInstrumentationfrom the<installerFolder>/nt/auditds/.UnzippingthisfilecreatesaNovelldirectory. 3 CopytheNovell\NDS\nauditds.dlmtotheC:\Novell\NDSdirectoryortoanyotherdirectory
whereeDirectoryisinstalled.
4 CopytheNovell\NDS\ediraudit.schfiletotheC:\Novell\NDSdirectoryortoanyother
directorywhereeDirectoryisinstalledontheWindowsserver. For64bitinstallationofAuditpackagesandAuditPlatformAgent:
1 Runthepa_win64.exefilefor64bitAuditPlatformAgent. 2 UnziptheeDirectoryInstrumentation-win-8.8.7.zipfilefor64bitAuditpackagefromthe <installerFolder>/nt/auditds/.UnzippingthisfilecreatesaNovelldirectory. 3 CopytheNovell\NDS\nauditds.dlmtotheC:\Novell\NDSdirectoryortoanyotherdirectory
whereeDirectoryisinstalled.
4 Copythe Novell\NDS\ediraudit.schfiletotheC:\Novell\NDSdirectoryortoanyother
directorywhereeDirectoryisinstalledontheWindowsserver.
12.1.4
12.1.5
137
12.1.6
Add Property Allow Login Change Password Change Security Equals Create Delete Delete Property Login Logout Modify RDN Move (Destination) Move (Source) Remove Rename Restore Search Verify Password
Attributes
138
Category Agent
Event Type
Miscellaneous
LDAP
LDAP Bind LDAP Modify LDAP Password Modify LDAP Add Response LDAP Unbind LDAP Delete LDAP Modify DN LDAP Modify Response LDAP Search LDAP Bind Response LDAP Delete Response LDAP Add LDAP Search Response LDAP Modify DN Response
12.1.7
Create Delete
139
Category Attributes
Event Type
LDAP
Object Class
Forexample,ifyouwanttobenotifiedwhensomeonecreatesauseraccountineDirectory,youcan createafilterusingiManagertolookforonlyCreateObjecteventsthatcreateaUserobject. IniManager,navigatetoRolesandTasks>eDirectoryAuditing>AuditConfiguration,selecttheNCP Serveryouwanttomonitor,andthenclicktheNovellAudittab.IntheObjectslist,clicktheCreate hyperlink.IntheAvailableObjectClasseslist,selectUser,thenclicktherightarrowtomoveUsertothe SelectedObjectClasseslist,andthenclickOK. Withthefilterconfigured,eDirectorychecksallgeneratedeventsforusercreationeventsandsends thoseeventstotheclient.Ifyoudonotselectothereventtypesorconfigurefilteringforotherobject classesorattributes,eDirectoryonlyauditsusercreationevents. NotethatObjectandLDAPcategoryfiltersonlyallowyoutofilteronobjectclasses,whileAttribute categoryfiltersallowyoutofilteronbothobjectclassesandattributes. Ifyouselectoneoftheeventtypesabovebutdonotspecifyanobjectclassorattributeonwhichto filter,eDirectorysendsalleventsofthateventtypetotheclient.
12.1.8
12.1.9
140
UsingiManager,selecttheeDirectoryeventtypesthatyouwanttoaudit:
1 LogintotheiManagerconsoleusingthefollowingURL: https://ip_address_or_DNS/nps/
whereip_address_or_DNSistheIPaddressorDNSnameofyouriManagerserver.For example:
https://192.168.0.5/nps/ 2 UnderRolesandTasks,selecteDirectoryAuditing>AuditConfiguration. 3 BrowsetoandselecttheNCPServerobjectthatcorrespondstotheeDirectoryServerfrom
whichyouwanttocollectevents.ClickOK.
4 ClicktheNovellAudittabtodisplaytheeDirectoryInstrumentationSettingspage. 5 IfyoudonotwanteDirectorytosendreplicatedeventstoanotherreplicainthereplicaring,
selectDoNotSendReplicatedEvents.Youcanusethisoptiontofilteroutunnecessaryeventnoise andreducelogsize.
6 Ifyouwanttoenableinlinepreeventreporting,selectRegisterForEventsInline.Notethat
selectingthisoptioncansloweDirectoryperformance.
7 Selecttheeventtypesthatyouwanttoaudit. 8 Ifyouwanttofiltereventsforoneormorespecificobjectclasses,completethefollowingsteps: 8a Clickoneofthefollowinghyperlinkedobjects:
clicktherightarrow.
8c ClickOK,thenclickOKagain. 9 Ifyouwanttofiltereventsforoneormorespecificattributes,completethefollowingsteps: 9a Clickoneofthefollowinghyperlinkedobjects:
Attributes>AddValue Attributes>DeleteValue
9b IntheAvailableAttributeslist,selecttheattributesforyouwanttoauditeventsandclickthe
rightarrow.
9c ClickOK,thenclickOKagain.
141
12.1.10
Linux
1 RunthefollowingcommandtoloadtheAuditmoduleifitisnotalreadyloaded: ndstrace -c "load auditds" 2 RunthefollowingcommandtounloadtheAuditmodule: ndstrace -c "unload auditds"
Windows
1 ToloadtheAuditmodule,clickStart>ControlPanel>NovelleDirectoryServices.Selectnauditds
fromtheServicestab,thenclickStart.
2 TounloadtheAuditmodule,clickStart>ControlPanel>NovelleDirectoryServices.Selectnauditds
steps:
3a ClickStart>ControlPanel>NovelleDirectoryServices. 3b SelectnauditdsfromtheServicestab,thenclickStartup. 3c SelectAutomatic,thenclickOK. 4 TodisableautomaticloadingofAuditmodulewheneDirectoryisstarted,completethe
followingsteps:
4a ClickStart>ControlPanel>NovelleDirectoryServices. 4b SelectnauditdsfromtheServicestab,clickStartup. 4c DeselecttheAutomaticcheckbox,thenclickOK.
142
12.1.11
whereip_address_or_DNSistheIPaddressorDNSnameofyouriManagerserver.For example:
https://192.168.0.5/nps/ 2 UnderRolesandTasks,selectDirectoryAdministration>ModifyObject. 3 BrowsetoandselecttheeDirectorycontaineryouwanttoaudit.ClickOK.
143
NOTE:YoudonotneedtoconfigureanyotherIntruderDetectionrelatedsettingsorenabletheLock accountafterdetectionsetting.
12.1.12
NOTE:Therpmnameissameforboth32and64bitAuditpackages.
#rpm -e --nodeps novell-AUDTedirinst-8.8.6-xx 3 DisableautomaticloadingofAuditmoduleswheneDirectoryisstartedbyeditingthe/etc/ opt/novell/eDirectory/conf/ndsmodules.conf fileandremovingthelinecorrespondingto
auditds(ifitexists).Thelinecorrespondingtoauditdsisasfollows:
auditds auto #eDirectory Instrumentation
Forexamplethepackagecanbeuninstalledusingthefollowingcommands:
#pkgrm NOVLaudin #pkgrm NOVLaudinx 3 DisableautomaticloadingofNovellAuditwheneDirectoryisstartedbyeditingthe/etc/opt/ novell/eDirectory/conf/ndsmodules.conffileandremovingthelinecorrespondingto auditds(ifitexists).Thelinecorrespondingtoauditdsisasfollows: auditds auto #eDirectory Instrumentation
144
started:
4a NavigatetoStart>ControlPanel>NovelleDirectoryServices. 4b SelectServices. 4c Clicknauditds.dlm,thenclickStartup. 4d Disablethe Automaticoptionbyclearingthecheckbox. 4e ClickOK.
NOTE:Ifnootherinstrumentationisinstalled,uninstalltheAuditPlatformAgentbydeletingthe logevent.dllfilefromC:\Novell\NDS.
12.2
145
146
Package
Description Contains the Novell Import Convert Export utility and is dependent on the NOVLlmgnt, NOVLxis, and NLDAPbase packages. Represents the Directory User Agent. This package is dependent on the NICI package. The NDSbase package contains the following:
NOVLice NDSbase
Authentication toolbox containing the RSA authentication needed for eDirectory Platform-independent system abstraction library, a library containing all the
defined Directory User Agent functions, and the schema extension library
Combined configuration utility and the Directory User Agent test utility eDirectory configuration file and manual pages
NDScommon NDSmasv
Contains the man pages for the eDirectory configuration file, install, and uninstall utilities. This package is dependent on the NDSbase package. Contains the libraries required for mandatory access control (MASV).
147
Package
Description Contains all the binaries and libraries needed by the eDirectory Server. It also contains the utilities to manage the eDirectory Server on the system. This package is dependent on the NDSbase, NDScommon, NDSmasv, NLDAPsdk, NOVLpkia and NOVLpkit packages. The NDSserv package contains the following:
NDSserv
NDS install library, FLAIM library, trace library, NDS library, LDAP server library,
LDAP install library, index editor library, DNS library, merge library, and LDAP extension library for LDAP SDK
eDirectory Server daemon Binary for DNS and a binary to load or unload LDAP The utility needed to create the MAC address, the utility to trace the server and
change some of the global variables of the server, the utility to back up and restore eDirectory, and the utility to merge eDirectory trees
Contains all the NMAS libraries and the nmasinst binaries needed for NMAS server. This package is dependent on the NICI and NDSmasv packages. Contains Novell extensions to LDAP runtime and Security libraries (Client NICI). Contains the runtime libraries and utilities for the eDirectory SNMP subagent. This package is dependent on the NICI, NDSbase, and NLDAPbase packages. Provides PKI Services which do not require eDirectory. This package is dependent on the NICI and NLDAPsdk packages. Provides PKI Server Service. This package is dependent on the NICI, NDSbase, and NLDAPsdk packages. The runtime libraries and utilities for SNMP. This package is dependent on the NICI package. Contains the library that manages events generated in Novell eDirectory to other databases. Provides PKI services. This package is dependent on the NICI, NDSbase, and NLDAPsdk packages. Provides the eMBox infrastructure and eMTools.
148
Package
Description Contains runtime libraries for Novell Language Management. Contains the runtime libraries for Novell XIS. Contains the Novell SAS libraries. Contains Novell TLS library. This package is identified as:
149
150
B.1
B.2
B.2.1
Windows
TheeDirectoryhealthcheckshappenaspartoftheinstallationwizard.Youcanenableordisablethe healthcheckswhenpromptedtodoso.
151
B.2.2
As a Standalone Utility
YoucanruntheeDirectoryhealthchecksasastandaloneutilityanytimeyouwant.Thefollowing tableliststhehealthcheckutilitynamesforeachplatform.
Table B-1 HealthCheckUtilities
Utility Name
ndscheck
Syntax:
ndscheck [--help | -?] Display command usage ndscheck [--version | -v] Display version information ndscheck [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [--configfile <file name>]
Windows
ndscheck
Syntax:
ndscheck [--help | -?] Display command usage ndscheck [--version | -v] Display version information ndscheck [-h <hostname port]>] [-a <admin FDN>] [-F <log file>] [-D] [-q] [--configfile <file name>]
B.3
B.3.1
152
B.3.2
B.4
Categorization of Health
Therearethreepossiblecategoriesofhealth,basedontheerrorsfoundwhilecheckingthehealthof aneDirectoryserver: Normal(page 153) Warning(page 153) Critical(page 154) Thestatusofthehealthchecksisloggedintoalogfile.Formoreinformation,refertoSection B.5, LogFiles,onpage 155.
B.4.1
Normal
Allthehealthchecksweresuccessfulandtheserverhealthisnormal. Theupgradeproceedswithoutaninterruption.
B.4.2
Warning
Minorerrorswerefoundwhilecheckingtheserverhealth. Ifthehealthcheckisrunaspartoftheupgrade,youarepromptedtoeitherabortorcontinue.For moreinformation,seeFigureB1onpage 154. Warningsnormallyoccurinthefollowingscenarios: ServernotlisteningonLDAPandHTTPports(normal,secure,orboth). Unabletocontactanyofthenonmasterserversinthereplicaring. Serversinthereplicaringarenotinsync.
153
B.4.3
Critical
CriticalerrorswerefoundwhilecheckingtheeDirectoryhealth. IfthehealthcheckisrunaspartoftheeDirectoryupgrade,theupgradeoperationisaborted.For moreinformation,seeFigureB2onpage 155. Thecriticalstatenormallyoccursinthefollowingscenarios: UnabletoreadoropentheDIB(mightbelockedorcorrupt). Unabletocontactalltheserversinthereplicaring. Locallyheldpartitionsarebusy. ReplicaisnotintheONstate.
154
B.5
Log Files
EveryeDirectoryhealthcheckoperation,whetheritisrunwiththeupgradeorasastandaloneutility, maintainsthestatusofthehealthinalogfile. Thecontentofthelogfileissimilartothemessagesdisplayedonthescreenwhenthechecksare happening.Forexample,seeFigureB1onpage 154andFigureB2onpage 155. Thehealthchecklogfilecontainsthefollowing: Statusofthehealthchecks(normal,warning,orcritical). URLswherepossiblesolutionscanbefound. Supportforums(http://forums.novell.com/netiq/netiqproductdiscussionforums/ edirectory/)
155
Log Filename
Location 1. If you use the -h option, the ndscheck.log file is saved in the users home directory. 2. If you use the --config-file option, the ndscheck.log file is saved in the server instances log directory. You can also select an instance from the multiple instances list.
ndscheck.log
Windows
nsdcheck.log
nds\.
NOTE: install_directory is user specified.
156
Thisappendixprovidesinformationfornetworkadministratorsontheproperconfigurationof OpenSLPforNovelleDirectoryinstallationswithouttheNovellClient. Section C.1,ServiceLocationProtocol,onpage 157 Section C.2,SLPFundamentals,onpage 157 Section C.3,ConfigurationParameters,onpage 159
C.1
C.2
SLP Fundamentals
ServiceLocationProtocolspecifiesthreecomponents: Theuseragent(UA) Theserviceagent(SA) Thedirectoryagent(DA) Theuseragentsjobistoprovideaprogrammaticinterfaceforclientstoqueryforservices,andfor servicestoadvertisethemselves.Auseragentcontactsadirectoryagenttoqueryforregistered servicesofaspecifiedserviceclassandwithinaspecifiedscope. Theserviceagentsjobistoprovidepersistentstorageandmaintenancepointsforlocalservicesthat haveregisteredthemselveswithSLP.Theserviceagentessentiallymaintainsaninmemorydatabase ofregisteredlocalservices.Infact,aservicecannotregisterwithSLPunlessalocalSAispresent.
157
ClientscandiscoverserviceswithonlyaUAlibrary,butregistrationrequiresanSA,primarily becauseanSAmustreasserttheexistenceofregisteredservicesperiodicallyinordertomaintainthe registrationwithlisteningdirectoryagents. Thedirectoryagentsjobistoprovidealongtermpersistentcacheforadvertisedservices,andto provideapointofaccessforuseragentstolookupservices.Asacache,theDAlistensforSAsto advertisenewservices,andcachesthosenotifications.Overashorttime,aDAscachewillbecome morecomplete.Directoryagentsuseanexpirationalgorithmtoexpirecacheentries.Whena directoryagentcomesup,itreadsitscachefrompersistentstorage(generallyaharddrive),andthen beginstoexpireentriesaccordingtothealgorithm.WhenanewDAcomesup,orwhenacachehas beendeleted,theDAdetectsthisconditionandsendsoutaspecialnotificationtoalllisteningSAsto dumptheirlocaldatabasessotheDAcanquicklybuilditscache. Intheabsenceofanydirectoryagents,theUAwillresorttoageneralmulticastquerythatSAscan respondto,buildingalistoftherequestedservicesinmuchthesamemannerthatDAsusetobuild theircache.Thelistofservicesreturnedbysuchaqueryisanincompleteandmuchmorelocalized listthanthatprovidedbyaDA,especiallyinthepresenceofmulticastfiltering,whichisdoneby manynetworkadministrators,limitingbroadcastsandmulticaststoonlythelocalsubnet. Insummary,everythinghingesonthedirectoryagentthatauseragentfindsforagivenscope.
C.2.1
C.2.2
User Agents
Auseragenttakesthephysicalformofastaticordynamiclibrarythatislinkedintoanapplication.It allowstheapplicationtoqueryforSLPservices. Useragentsfollowanalgorithmtoobtaintheaddressofadirectoryagenttowhichquerieswillbe sent.OncetheyobtainaDAaddressforaspecifiedscope,theycontinuetousethataddressforthat scopeuntilitnolongerresponds,atwhichtimetheyobtainanotherDAaddressforthatscope.User agentslocateadirectoryagentaddressforaspecifiedscopeby: 1. CheckingtoseeifthesockethandleonthecurrentrequestisconnectedtoaDAforthespecified scope.Iftherequesthappenstobeamultipartrequest,theremayalreadybeacached connectionpresentontherequest. 2. CheckingitslocalknownDAcacheforaDAmatchingthespecifiedscope.
158
3. CheckingwiththelocalSAforaDAwiththespecifiedscope(andaddingnewaddressestothe cache). 4. QueryingDHCPfornetworkconfiguredDAaddressesthatmatchthespecifiedscope(and addingnewaddressestothecache). 5. MulticastingaDAdiscoveryrequestonawellknownport(andaddingnewaddressestothe cache). Thespecifiedscopeisdefaultifnotspecified.Thatis,ifnoscopeisstaticallydefinedintheSLP configurationfile,andnoscopeisspecifiedinthequery,thenthescopeusedistheworddefault.It shouldalsobenotedthateDirectoryneverspecifiesascopeinitsregistrations.Thatsnottosaythe scopealwaysusedwitheDirectoryisdefault.Infact,ifthereisastaticallyconfiguredscope,that scopebecomesthedefaultscopeforalllocalUArequestsandSAregistrationsintheabsenceofa specifiedscope.
C.2.3
Service Agents
Serviceagentstakethephysicalformofaseparateprocessonthehostmachine.Inthecaseof Windows,slpd.exerunsasaserviceonthelocalmachine.Useragentsquerythelocalserviceagent bysendingmessagestotheloopbackaddressonawellknownport. AserviceagentlocatesandcachesdirectoryagentsandtheirsupportedscopelistbysendingaDA discoveryrequestdirectlytopotentialDAaddressesby: 1. CheckingallstaticallyconfiguredDAaddresses(andaddingnewonestotheSAsknownDA cache). 2. RequestingalistofDAsandscopesfromDHCP(andaddingnewonestotheSAsknownDA cache). 3. MulticastingaDAdiscoveryrequestonawellknownport(andaddingnewonestotheSAs knownDAcache). 4. ReceivingDAadvertisingpacketsthatareperiodicallybroadcastbyDAs(andaddingnewones totheSAsknownDAcache). Sinceauseragentalwaysqueriesthelocalserviceagentfirst,thisisimportant,asthelocalservice agentsresponsewilldeterminewhetherornottheuseragentcontinuestothenextstageof discovery(inthiscaseDHCPseesteps3and4inUserAgentsonpage 158.).
C.3
Configuration Parameters
Certainconfigurationparametersinthe%systemroot%/slp.conffilecontrolDAdiscoveryaswell:
net.slp.useScopes = <comma delimited scope list> net.slp.DAAddresses = <comma delimited address list> net.slp.passiveDADetection = <"true" or "false"> net.slp.activeDADetection = <"true" or "false"> net.slp.DAActiveDiscoveryInterval = <0, 1, or a number of seconds>
159
ThepassiveDADetectionoptionisTruebydefault.Directoryagentswillperiodicallybroadcast theirexistenceonthesubnetonawellknownportifconfiguredtodoso.Thesepacketsaretermed DAAdvertpackets.IfthisoptionissettoFalse,allbroadcastDAAdvertpacketsareignoredbythe SA. TheactiveDADetectionoptionisalsoTruebydefault.ThisallowstheSAtoperiodicallybroadcast arequestforallDAstorespondwithadirectedDAAdvertpacket.Adirectedpacketisnotbroadcast, butsentdirectlytotheSAinresponsetotheserequests.IfthisoptionissettoFalse,noperiodicDA discoveryrequestisbroadcastbytheSA. TheDAActiveDiscoveryIntervaloptionisatrystateparameter.Thedefaultvalueis1,whichisa specialvaluemeaningthattheSAshouldonlysendoutoneDAdiscoveryrequestupon initialization.Settingthisoptionto0hasthesameeffectassettingtheactiveDADetectionoptionto false.Anyothervalueisanumberofsecondsbetweendiscoverybroadcasts. Theseoptions,whenusedproperly,canensureanappropriateuseofnetworkbandwidthforservice advertising.Infact,thedefaultsettingsaredesignedtooptimizescalabilityonanaveragenetwork.
160